Setting and Searching for Special Permissions

You can set special permissions on a file in absolute or symbolic modes. In absolute mode, you set special permissions by adding a new octal value to the left of the permission triplet. Table 51-7 lists the octal values to set special permissions on a file.

Table 51-6 lists the symbols to change the special permissions in symbolic mode.

How to Set Special Permissions in Absolute Mode

1. If you are not the owner of the file or directory, become superuser.

   Only the current owner or superuser can use the chmod command to change the special permissions on a file or directory.

2. Change special permissions in absolute mode by using the chmod command.

   $ chmod nnnn filename

   nnnn	Specifies the octal values that change the permissions on the file or directory. The first octal value on the left sets the special permissions on the file. See Table 51-7for the list of valid octal values for the special permissions.
   filename	Is the file or directory.

3. Verify the permissions of the file have changed.

   $ ls -l filename

Examples--Setting Special Permissions in Absolute Mode

The following example sets setuid permission on the dbprog file.

$ chmod 4555 dbprog
$ ls -l dbprog
-r-sr-xr-x   1 db     staff        12095 May  6 09:29 dbprog

The following example sets setgid permission on the dbprog2 file.

$ chmod 2551 dbprog2
$ ls -l dbprog2
-r-xr-s--x   1 db     staff       24576 May  6 09:30 dbprog2

The following example sets sticky bit permission on the pubdir directory.

$ chmod 1777 pubdir
 

How to Find Files With setuid Permissions

1. Become superuser.

2. Find files with setuid permissions set by using the find command.

   # find directory -user root -perm -4000 -exec ls -ldb {}\; >/tmp/filename

   find directory	Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
   -user root	Displays files only owned by root.
   -perm -4000	Displays files only with permissions set to 4000.
   -exec ls -ldb	Displays the output of the find command in ls -ldb format.
   >/tmp/filename	Writes results to this file.

3. Display the results in /tmp/filename.

   If you need background information about setuid permissions, see "setuid Permission".

Example--Finding Files With setuid Permissions

# find / -user root -perm -4000 -exec ls -ldb { }\; > /tmp/ckprm 
	# cat /tmp/ckprm 
	-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
	-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
	---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
	-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
	-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
	-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
	---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
	-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
	-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
	-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
	-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
	#

An unauthorized user (rar) has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. This means that rar can execute /usr/rar/bin/sh and become the privileged user. If you want to save this output for future reference, move the file out of the /tmp directory.