9.9. Finding setuid (or setgid) Programs
Problem
You want to check for potentially insecure setuid (or setgid) programs.
Solution
To list all setuid or setgid files (programs and scripts):
$ find /dir
-xdev -type f -perm +ug=s -print
To list only setuid or setgid scripts:
$ find /dir
-xdev -type f -perm +ug=s -print0 | \
perl -0ne 'chomp;
open(FILE, $_);
read(FILE, $magic, 2);
print $_, "\n" if $magic eq "#!";
close(FILE)'
To remove setuid or setgid bits from a file:
$ chmod u-sfile
Remove the setuid bit $ chmod g-sfile
Remove the setgid bit
To find and interactively fix setuid and setgid programs:
$ find /dir
-xdev -type f \
\( -perm +u=s -printf "setuid: %p\n" -ok chmod -v u-s {} \; , \
-perm +g=s -printf "setgid: %p\n" -ok chmod -v g-s {} \; \)
To ignore the setuid or setgid attributes for
executables in a
filesystem, mount it with the
nosuid
option. To prohibit executables entirely, use the
noexec
mount option. These options can
appear on the command line:
# mount -o nosuid ... # mount -o noexec ...
or in /etc/fstab :
/dev/hdd3 /home ext2 rw,nosuid 1 2 /dev/hdd7 /data ext2 rw,noexec 1 3
Be aware of the important options and limitations of find, so you don’t inadvertently overlook important files. [Recipe 9.8]
Discussion
If your system has been compromised, it is quite likely that an intruder has installed backdoors. A common ploy is to hide a setuid root program in one of your filesystems.
The setuid permission bit changes the effective user ID to the owner of the file (even root) when ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.