June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.9. Finding setuid (or setgid) Programs
Problem
You want to check for potentially insecure setuid (or setgid) programs.
Solution
To list all setuid or setgid files (programs and scripts):
$ find /dir -xdev -type f -perm +ug=s -printTo list only setuid or setgid scripts:
$ find /dir -xdev -type f -perm +ug=s -print0 | \
perl -0ne 'chomp;
open(FILE, $_);
read(FILE, $magic, 2);
print $_, "\n" if $magic eq "#!";
close(FILE)'To remove setuid or setgid bits from a file:
$ chmod u-sfileRemove the setuid bit $ chmod g-sfileRemove the setgid bit
To find and interactively fix setuid and setgid programs:
$ find /dir -xdev -type f \
\( -perm +u=s -printf "setuid: %p\n" -ok chmod -v u-s {} \; , \
-perm +g=s -printf "setgid: %p\n" -ok chmod -v g-s {} \; \)To ignore the setuid or setgid attributes for
executables in a
filesystem, mount it with the
nosuid
option. To prohibit executables entirely, use the
noexec
mount option. These options can
appear on the command line:
# mount -o nosuid ... # mount -o noexec ...
or in /etc/fstab :
/dev/hdd3 /home ext2 rw,nosuid 1 2 /dev/hdd7 /data ext2 rw,noexec 1 3
Be aware of the important options and limitations of find, so you don’t inadvertently overlook important files. [Recipe 9.8]
Discussion
If your system has been compromised, it is quite likely that an intruder has installed backdoors. A common ploy is to hide a setuid root program in one of your filesystems.
The setuid permission bit changes the effective user ID to the owner of the file (even root) when ...