Example: checking set-UIDs by filesystem
The following example
shows the use of ncheck
to examine the /usr filesystem
(assuming /dev/dsk/c1b0t1d0s2 is the special file)
for files with a set-UID.
Examine the
/etc/vfstab
file to find the appropriate special filename for your system.
The normal output of the ncheck -s command
includes special files.
The -F vxfs tells ncheck that it should expect
an vxfs filesystem type.
Other filesystem types support
ncheck.
See
ncheck(1M)
for more information.
The output of the modified ncheck
is used as an argument to the ls command.
The use of the ls command
is possible only if the filesystem is mounted.
# ncheck -F vxfs -s /dev/dsk/c1b0t1d0s2 | cut -f2 | xargs ls -l >/tmp/cksuid
# cat /tmp/cksuid
-r-sr-xr-x 1 root sys 65988 Nov 1 11:22 /sbin/su
-rwxr-sr-x 1 bin sys 43544 Nov 1 11:24 /sbin/swap
-r-xr-sr-x 1 bin sys 14448 Nov 1 11:23 /usr/bin/crontab
---x--s--x 1 uucp uucp 42376 Nov 1 11:23 /usr/bin/cu
---s--x--- 2 root lp 38780 Nov 1 11:23 /usr/bin/disable
---s--x--- 2 root lp 38780 Nov 1 11:23 /usr/bin/enable
-r-xr-sr-x 1 bin sys 23392 Nov 1 11:23 /usr/bin/ipcs
-r-xr-sr-x 2 bin mail 232240 Nov 1 11:22 /usr/bin/mail
-r-xr-sr-x 1 bin mail 211356 Nov 1 11:22 /usr/bin/mailx
-r-sr-sr-x 1 root sys 29960 Nov 1 11:23 /usr/bin/passwd
-r-sr-xr-x 1 root root 14480 Nov 1 11:23 /usr/bin/priocntl
-r-xr-sr-x 2 bin mail 232240 Nov 1 11:22 /usr/bin/rmail
---s--s--x 1 uucp uucp 65244 Nov 1 11:23 /usr/bin/uucp
---x--s--x 1 uucp uucp 15300 Nov 1 11:23 /usr/bin/uuname
---x--s--x 1 uucp uucp 58732 Nov 1 11:23 /usr/bin/uustat
---x--s--x 1 uucp uucp 48904 Nov 1 11:23 /usr/bin/uux
-r-sr-x--x 1 root mail 106440 Nov 1 11:26 /usr/ucblib/sendmail
-r-sr-x--x 1 root mail 109688 Nov 1 11:26 /usr/ucblib/sendmail.mx
-r-x--s--x 1 bin dos 13920 Nov 1 11:20 /usr/bin/doscat
.
.
.
-r-x--s--x 1 bin dos 30436 Nov 1 11:20 /usr/bin/doscp
-r-xr-sr-x 1 bin sys 42988 Nov 1 10:28 /usr/bin/netstat
-r-sr-xr-x 1 root root 65988 Nov 1 11:51 /usr/bin/su
-r-xr-s--x 1 sys sys 19640 Nov 1 11:29 /usr/bin/uidadmin
---s--x--- 1 root lp 246156 Nov 1 10:28 /usr/lib/lp/lpsched
-r-sr-xr-x 1 root sys 23824 Nov 1 01:27 /usr/rar/bin/su
-r-xr-sr-x 1 bin sys 11274 Oct 20 09:25 /usr/sbin/whodo
#
In this example, the /usr/rar/bin/su
should be investigated.
Next topic:
Checking file privileges
Previous topic:
Before you begin
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004