Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 17

The permissions of all files included in the SUSE Linux Enterprise Desktop distribution
are carefully chosen. A system administrator who installs additional software or other
files should take great care when doing so, especially when setting the permission bits.
Experienced and security-conscious system administrators always use the -l option
with the command ls to get an extensive file list, which allows them to detect any in-
correct file permissions immediately. An incorrect file attribute does not only mean
that files could be changed or deleted. These modified files could be executed by root
or, in the case of configuration files, programs could use such files with the permissions
of root. This significantly increases the possibilities of an attacker. Attacks like this
are called cuckoo eggs, because the program (the egg) is executed (hatched) by a differ-
ent user (bird), just like a cuckoo tricks other birds into hatching its eggs.
A SUSE® Linux Enterprise Desktop system includes the files permissions,
permissions.easy, permissions.secure, and permissions.paranoid,
all in the directory /etc. The purpose of these files is to define special permissions,
such as world-writable directories or, for files, the setuser ID bit (programs with the
setuser ID bit set do not run with the permissions of the user that has launched it, but
with the permissions of the file owner, in most cases root). An administrator can use
the file /etc/permissions.local to add his own settings.
To define which of the above files is used by SUSE Linux Enterprise Desktop's confi-
guration programs to set permissions accordingly, select Local Security in the Security
and Users section of YaST. To learn more about the topic, read the comments in /etc/
permissions or consult the manual page of chmod (man chmod).
1.1.5 Buffer Overflows and Format String
Bugs
Special care must be taken whenever a program is supposed to process data that can or
could be changed by a user, but this is more of an issue for the programmer of an appli-
cation than for regular users. The programmer must make sure that his application in-
terprets data in the correct way, without writing it into memory areas that are too small
to hold it. Also, the program should hand over data in a consistent manner, using the
interfaces defined for that purpose.
A buffer overflow can happen if the actual size of a memory buffer is not taken into
account when writing to that buffer. There are cases where this data (as generated by
Security and Confidentiality 5