How to find Unauthorized SUID/SGID System Executables and fix them.
The following command discovers and prints any setuid or setgid files on local partitions. Run it once for each local partition PART:
# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print
If the file does not require a setuid or setgid bit as discussed below, then these bits can be removed with the command:
How to verify that all World-Writable Directories Have Proper Ownership
Locate any directories in local partitions which are world-writable and ensure that they are owned by root or another system account.
The following command will discover and print these (assuming only system accounts have a uid lower than 500). Run it once for each local partition PART:
# find PART -xdev -type d -perm -0002 -uid +500 -print
If this command produces any output, investigate why the current owner is not root or another system account.
Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.
How to find and Repair Unowned Files
The following command will discover and print any files on local partitions which do not belong to a valid user and a valid group. Run it once for each local partition PART:
# find PART -xdev \( -nouser -o -nogroup \) -print
If this command prints any results, investigate each reported file and either assign it to an appropriate user and group or remove it.
Unowned files are not directly exploitable, but they are generally a sign that something is wrong with some system process. They may be caused by an intruder, by incorrect software installation or incomplete software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they will not cause problems when accounts are created in the future, and the problem which led to unowned files should be discovered and addressed.
Security - verify that All World-Writable Directories Have Sticky Bits Set
Locate any directories in local partitions which are world-writable and do not have their sticky bits set. The following command will discover and print these. Run it once for each local partition:
# find PARTITION -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
If this command produces any output, fix each reported directory /dir using the command:
When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other’s files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit.
Disable Mounting of Uncommon Filesystem Types
Append the following lines to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
