The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Permissions of /usr/bin/su, /usr/bin/newgrp, and /usr/bin/mount

Discussion in 'Security' started by Spork Schivago, Jun 16, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I've been searching the forums and net and couldn't really find the answer to this question. I'm running CentOS 7 and cPanel 11.64.0.24. I see other people have had this issue, I'm trying to understand how it happened though.

    I'm running rkhunter and it complains about three files having file permissions that are different than what RPM expects. Those three files and their current permissions and what their expected permissions are listed below:
    Code:
    FILE                REAL PERMISSIONS       EXPECTED PERMISSIONS
    ===============     ================       ====================
    /usr/bin/su               04750                   04755
    /usr/bin/newgrp            0755                   04755
    /usr/bin/mount             0755                   04755
    
    With /usr/bin/su, the expected owner and group is root:root, but the real owner is root:wheel.

    Are these changes that cPanel implemented for security reasons? I don't really understand why mount and newgrp have been modified. I can't really see Linode doing this without saying something.

    Thanks!
     
    #1 Spork Schivago, Jun 16, 2017
    Last edited: Jun 16, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,296
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I can confirm the permissions and ownership values you referenced (under the "Real Permissions" column in your post) match what's on my CentOS 7 (with a stock kernel) test system with cPanel. You may want to review the "/scripts/secureit" file to get a better idea of what this script does:

    Code:
    cat /scripts/secureit
    Additionally, you can view the cPanel installation log at /var/log/cpanel-install.log to see if permissions or ownership values were modified for a specific file.

    Thank you.
     
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thanks! /script/secureit was what modified the permissions. I restored the various packages using yum, just until I could figure out what happened. Now that I figured out what happened, I tried to run /script/secureit in order to "secure" the files, but it's not working.

    This is the output that I get:
    Code:
    [root@franklin ~]# /scripts/secureit
    Finding set[gu]id files via find
    /usr/bin/find: warning: you are using `-perm +MODE'.  The interpretation of `-perm +omode' changed in findutils-4.5.11.  The syntax `-perm +omode' was removed in findutils-4.5.12, in favour of `-perm /omode'.
    /usr/bin/find: warning: you are using `-perm +MODE'.  The interpretation of `-perm +omode' changed in findutils-4.5.11.  The syntax `-perm +omode' was removed in findutils-4.5.12, in favour of `-perm /omode'.
    /usr/bin/find: warning: you are using `-perm +MODE'.  The interpretation of `-perm +omode' changed in findutils-4.5.11.  The syntax `-perm +omode' was removed in findutils-4.5.12, in favour of `-perm /omode'.
    /usr/bin/find: warning: you are using `-perm +MODE'.  The interpretation of `-perm +omode' changed in findutils-4.5.11.  The syntax `-perm +omode' was removed in findutils-4.5.12, in favour of `-perm /omode'.
    /usr/bin/find: warning: you are using `-perm +MODE'.  The interpretation of `-perm +omode' changed in findutils-4.5.11.  The syntax `-perm +omode' was removed in findutils-4.5.12, in favour of `-perm /omode'.
    /usr/bin/find: warning: you are using `-perm +MODE'.  The interpretation of `-perm +omode' changed in findutils-4.5.11.  The syntax `-perm +omode' was removed in findutils-4.5.12, in favour of `-perm /omode'.
    
    [root@franklin ~]# ls -l /usr/bin/su /usr/bin/newgrp /usr/bin/mount
    -rwsr-xr-x 1 root root 44232 Apr 12 16:43 /usr/bin/mount
    -rwsr-xr-x 1 root root 41776 Nov  5  2016 /usr/bin/newgrp
    -rwsr-xr-x 1 root root 32096 Apr 12 16:43 /usr/bin/su
    
    [root@franklin ~]# stat /usr/bin/su /usr/bin/newgrp /usr/bin/mount
      File: ‘/usr/bin/su’
      Size: 32096           Blocks: 64         IO Block: 4096   regular file
    Device: 800h/2048d      Inode: 3141        Links: 1
    Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2017-06-17 12:00:32.655332221 -0400
    Modify: 2017-04-12 16:43:52.000000000 -0400
    Change: 2017-06-16 11:03:58.621243010 -0400
     Birth: -
    
      File: ‘/usr/bin/newgrp’
      Size: 41776           Blocks: 88         IO Block: 4096   regular file
    Device: 800h/2048d      Inode: 3090        Links: 1
    Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2017-06-17 12:00:32.425331492 -0400
    Modify: 2016-11-05 16:17:10.000000000 -0400
    Change: 2017-06-16 11:04:24.854659503 -0400
     Birth: -
    
      File: ‘/usr/bin/mount’
      Size: 44232           Blocks: 88         IO Block: 4096   regular file
    Device: 800h/2048d      Inode: 3126        Links: 1
    Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2017-06-17 12:00:31.815329559 -0400
    Modify: 2017-04-12 16:43:52.000000000 -0400
    Change: 2017-06-16 11:03:58.604576291 -0400
     Birth: -
    
    I can manually change the bitmasks for the files, but I think the secureit script might not be working properly. I even tried with the --fast parameter, which did remove the setuid bits from /usr/bin/mount and /usr/bin/newgrp. It didn't change the group for /usr/bin/su from root to wheel though. I thought there was an option under WHM but I cannot find it now. So I ran /usr/local/cpanel/bin/taskrun, which changed the /usr/bin/su group from root to wheel....

    Anyway, just wanted to let you know I think the /scripts/secureit script might not be functioning as it was intended to function. I believe to get the script to function properly, it should check if findutils is equal or greater to version 4.5.12 and if so, it should use find -perm /omode instead of find -perm +omode or perhaps just find -perm omode (for the new behaviour).

    Thanks!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,296
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look and determine if that's the intended behavior. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Okay, but now that the setuid bits are removed, it might be hard to test. Maybe I should readd the S bit to some files so they can verify the /scripts/secureit script doesn't remove them, unless the --fast command line option is applied.
     
Loading...

Share This Page