SUID and SGID files

SUID and SGID files are executables which, when run by a normal user, may have access to resources not normally available to the user running the program. For example, an SUID program could have the permissions:

-r-sr-xr-x 1 root root 11267 Jan 21 00:28 /usr/sbin/foo

The s in the owner's permission field in place of the usual x indicates that /usr/sbin/foo is SUID. If run by a normal user, the executable will run with the privileges of the owner of the file, in this case root. In this case the program will have access to the same system resources as root.

Below is an example of an SGID file:

-r-xr-sr-x 1 root foo 11267 Jan 21 00:28 /usr/sbin/foo

Here there is an s in the place of the group's executable bit, meaning the file is SGID and will be executed with the group permissions of the foo group.

SGID and SUID programs may be used by a cracker to gain elevated permissions on a system, so you should keep track of such files. You can find SUID and SGID files using find:

# find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \; >> SUID_files.txt

This command finds all SUID or SGID files and lists them in a file called SUID_files.txt. You can unset SUID or SGID privileges with the command chmod -s /usr/sbin/foo, but be warned, unsetting the SUID or SGID bit on some programs may mean that they will no longer run. Periodically check for new files.

There should be no reason for users to have SUID files in their home directories so you should use the nosuid option in /etc/fstab for the partition containing users $HOME directories. For example:

/dev/hda3 /home ext3 defaults,nosuid 1 1

World readable/writable files

Files should be world readable or writable only for very good reasons. You should check for such files the way we did above for SGID and SUID files:

# find / \( -perm -a+r -o -perm -a+w \) ! -type l >> world_readwrite.txt

Again, check through the list and remove permissions from files that do not need to be world readable or writable, and run checks regularly for new world readable or writable files.

Files with no owner or group

Ownerless files can be an indication that someone has gained access to your system. You should check regularly using the command # find / -nouser -o -nogroup. If you find any ownerless files, either delete them, or, if you know what they are and wish to keep them, assign them to an appropriate user and group. For example, assign myfile to the user foo and the group bar you would issue the command # chown foo.bar myfile