Scan for SUID and SGID Programs
Quickly check for potential root-exploitable programs and backdoors.
One potential way for a user to escalate her privileges on a system
is to exploit a vulnerability in an
SUID or SGID program. SUID and SGID are
legitimately used when programs need special permissions above and
beyond those that are available to the user who is running them. One
such program is passwd.
Simultaneously allowing a user to change her password while not
allowing any user to modify the system password file means that the
passwd program must be run with root privileges.
Thus the program has its SUID bit set, which causes it to be executed
with the privileges of the program file’s owner.
Similarly, when the SGID bit is set, the program is executed with the
privileges of the file’s group owner.
Running ls -l
on a binary that has its SUID bit set
should look like this:
-r-s--x--x 1 root root 16336 Feb 13 2003 /usr/bin/passwd
Notice that instead of an execute bit (x) for the
owner bits, it has an s. This signifies an SUID
file.
Unfortunately, a poorly written SUID or SGID binary can be used to quickly and easily escalate a user’s privileges. Also, an attacker who has already gained root access may hide SUID binaries throughout your system in order to leave a backdoor for future access. This leads us to the need for scanning systems for SUID and SGID binaries. This is a simple process and can be done with the following command:
# find / \( -perm -4000 -o -perm -2000 \) -type ...