How to find Unauthorized SUID/SGID System Executables and fix them.
The following command discovers and prints any setuid or setgid files on local partitions. Run it once for each local partition PART:
# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print
If the file does not require a setuid or setgid bit as discussed below, then these bits can be removed with the command:
SUID/SGID File Security
SUID/SGID bits can be misused when the SUID/SGID executable has a security hole.
SUID stands for set user id. When a SUID file executed, the process which runs it is granted access to system resources based on the user who owns the file and not the user who created the process. When a file is SUID root it allows a program/script to perform functions that regular users are not allowed to do themselves. Many buffer overflow exploits are the result of SUID programs.
SGID stands for set group id. When looking at files SGID they behave much the same as SUID files, and must be executable for it to have any effect. The SGID bit on a directory means files created in that directory will have their group set to the directory’s group.
When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, it executes with the UID or GID of the owner of the executable rather than that of the person executing it. This means that e.g. all executables that have the SUID bit set and are owned by root are executed with the UID of root. A good example is the passwd command that allows ordinary users to update the password field in the /etc/shadow file which is owned by root.
But SUID/SGID bits can be misused when the SUID/SGID executable has a security hole. Therefore, you might want to search the entire system for SUID/SGID executables and document it.
To search the entire system for SUID or SGID files, you can run the following command:
find / -path /proc -prune -o -type f -perm +6000 -ls
The -prune option in this example is used to skip the /proc filesystem.
For example, to skip the directory `src/emacs’ and all files and directories under it, and print the names of the other files found, do something like this:
find . -path ./src/emacs -prune -o -print
-prune True; if the file is a directory, do not descend into it.
Ensure that code developers don’t set SUID/SGID bits on their programs if it’s not an absolute requirement. Very often you can use workarounds like removing just the executable bit for world/others. However, a better approach is to change the design of the software if possible.