|
|
The following example lists all set-UID programs owned by root. The output is saved in a file in /tmp. All mounted paths are checked by this command starting at /.
This program can be run for sys, bin, and mail, as well.
#find / -user root -perm -4000 -exec ls -ldb {} \; > /tmp/ckprm
#cat /tmp/ckprm
-r-sr-xr-x 1 root sys 65988 Nov 1 11:22 /sbin/su ---s--x--- 2 root lp 38780 Nov 1 11:23 /usr/bin/enable -r-sr-sr-x 1 root sys 29960 Nov 1 11:23 /usr/bin/passwd -r-sr-xr-x 1 root root 14480 Nov 1 11:23 /usr/bin/priocntl ---s--x--- 2 root lp 38780 Nov 1 11:23 /usr/bin/disable -r-sr-xr-x 1 root root 65988 Nov 1 11:51 /usr/bin/su -rwsr-xr-x 1 root sys 162 Nov 1 10:33 /usr/bin/disable_glogin ---s--x--- 1 root rar 45376 Oct 30 15:11 /usr/rar/bin/sh -rwsr-xr-x 1 root sys 197 Nov 1 11:28 /usr/bin/enable_glogin -rwsr-xr-x 1 root sys 174 Nov 1 10:33 /usr/bin/start_glogin ---s--s--x 1 root uucp 30964 Nov 1 11:26 /usr/bin/ct -r-sr-xr-x 1 root bin 51804 Nov 1 11:26 /usr/bin/listusers -r-sr-x--- 1 root bin 67408 Nov 1 10:28 /usr/lib/iaf/in.login/scheme . . . #
In this example, an unauthorized user (rar) has made a personal copy of /usr/bin/sh and has made it set-UID to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user.
If you want to save this output for future reference, move the file out of /tmp.