9.9. Finding setuid (or setgid) Programs

Problem

You want to check for potentially insecure setuid (or setgid) programs.

Solution

To list all setuid or setgid files (programs and scripts):

$ find /dir -xdev -type f -perm +ug=s -print

To list only setuid or setgid scripts:

$ find /dir -xdev -type f -perm +ug=s -print0 | \
perl -0ne 'chomp;
               open(FILE, $_);
               read(FILE, $magic, 2);
               print $_, "\n" if $magic eq "#!";
               close(FILE)'

To remove setuid or setgid bits from a file:

$ chmod u-s file                  
               Remove the setuid bit
$ chmod g-s file                  
               Remove the setgid bit

To find and interactively fix setuid and setgid programs:

$ find /dir -xdev -type f \
        \(  -perm +u=s -printf "setuid: %p\n" -ok chmod -v u-s {} \; , \
            -perm +g=s -printf "setgid: %p\n" -ok chmod -v g-s {} \;   \)

To ignore the setuid or setgid attributes for executables in a filesystem, mount it with the nosuid option. To prohibit executables entirely, use the noexec mount option. These options can appear on the command line:

# mount -o nosuid ...
# mount -o noexec ...

or in /etc/fstab :

/dev/hdd3   /home   ext2    rw,nosuid   1 2
/dev/hdd7   /data   ext2    rw,noexec   1 3

Be aware of the important options and limitations of find, so you don’t inadvertently overlook important files. [Recipe 9.8]

Discussion

If your system has been compromised, it is quite likely that an intruder has installed backdoors. A common ploy is to hide a setuid root program in one of your filesystems.

The setuid permission bit changes the effective user ID to the owner of the file (even root) when ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.