DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Security procedures

Example: checking set-UIDs

The following example lists all set-UID programs owned by root. The output is saved in a file in /tmp. All mounted paths are checked by this command starting at /.

This program can be run for sys, bin, and mail, as well.

   # find / -user root -perm -4000 -exec ls -ldb {} \; > /tmp/ckprm
   # cat /tmp/ckprm
   -r-sr-xr-x    1 root     sys        65988 Nov  1 11:22 /sbin/su
   ---s--x---    2 root     lp         38780 Nov  1 11:23 /usr/bin/enable
   -r-sr-sr-x    1 root     sys        29960 Nov  1 11:23 /usr/bin/passwd
   -r-sr-xr-x    1 root     root       14480 Nov  1 11:23 /usr/bin/priocntl
   ---s--x---    2 root     lp         38780 Nov  1 11:23 /usr/bin/disable
   -r-sr-xr-x    1 root     root       65988 Nov  1 11:51 /usr/bin/su
   -rwsr-xr-x    1 root     sys          162 Nov  1 10:33 /usr/bin/disable_glogin
   ---s--x---    1 root     rar        45376 Oct 30 15:11 /usr/rar/bin/sh
   -rwsr-xr-x    1 root     sys          197 Nov  1 11:28 /usr/bin/enable_glogin
   -rwsr-xr-x    1 root     sys          174 Nov  1 10:33 /usr/bin/start_glogin
   ---s--s--x    1 root     uucp       30964 Nov  1 11:26 /usr/bin/ct
   -r-sr-xr-x    1 root     bin        51804 Nov  1 11:26 /usr/bin/listusers
   -r-sr-x---    1 root     bin        67408 Nov  1 10:28 /usr/lib/iaf/in.login/scheme
   .
   .
   .
   #

In this example, an unauthorized user (rar) has made a personal copy of /usr/bin/sh and has made it set-UID to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user.

If you want to save this output for future reference, move the file out of /tmp.


Next topic: Check set-UIDs by filesystem
Previous topic: Before you begin

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004