Finding and Creating SetUID Programs
A SetUID program has a special file attribute that the kernel uses to determine if it should
override the default permissions given to an application. When doing a directory list-
ing, the permissions shown on a file in its ls -l output will reveal this little fact. For
example:
[root@serverA ~]# ls -l /bin/ping
-rwsr-xr-x 1 root root 41912 2010-09-14 02:32 /bin/ping
If the fourth letter in the permissions field is an s, the application is SetUID. If the
file’s owner is root, then the application is SetUID root. In the case of ping, we can see
that it will execute with root permissions available to it. Another example is the Xorg
(X Window) program:
[root@serverA ~]# ls -l /usr/bin/Xorg
-rws--x--x 1 root root 1910628 2010-10-17 19:38 /usr/bin/Xorg
As with ping, we see that the fourth character of the permissions is an s and the
owner is root. The Xorg program is, therefore, SetUID root.
To determine if a running process is SetUID, you can use the ps command to see both
the actual user of a process and its effective user, like so:
[root@serverA ~]# ps ax -o pid,euser,ruser,comm
This will output all of the running programs with their process ID (PID), effective
user (euser), real user (ruser), and command name (comm). If the effective user is differ-
ent from the real user, it is likely a SetUID program.
To make a program run as SetUID, use the chmod command. Prefix the desired per-
missions with a 4 to turn the SetUID bit on. (Using a prefix of 2 will enable the SetGID
bit, which is like SetUID, but with group permissions instead of user permissions.) For
example, if we have a program called “myprogram” and we want to make it SetUID
root, we would do the following:
[root@serverA ~]# chown root myprogram
[root@serverA ~]# chmod 4755 myprogram
[root@serverA ~]# ls -l myprogram
-rwsr-xr-x 1 root root 0 2008-02-09 07:40 myprogram
Ensuring that a system has only the absolutely minimum and necessary SetUID pro-
grams can be a good housekeeping measure. A typical Linux distribution can easily have
hundreds of files and executables that are unnecessarily SetUID. Going from directory to
directory to find SetUID programs can be tiresome and error-prone. So instead of doing
that manually, use the find command, like so:
[root@serverA ~]# find / -perm +4000 -ls
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment