Restricting setuid Executable Files (System Administration Guide: Security Services)

System Administration Guide: Security Services

Previous: Preventing Unintentional Misuse of Machine Resources
Next: Using the Automated Security Enhancement Tool (ASET)

Restricting `setuid` Executable Files

Executable files can be security risks. Many executable programs have to be run as root, that is, as superuser, to work properly. These programs run with the user ID set to 0, that is, setuid=0. Anyone who is running these programs runs the programs with the root ID. A program that runs with the root ID creates a potential security problem if the program was not written with security in mind.

Except for the executables that Sun ships with the setuid bit set to root, you should disallow the use of setuid programs. If you cannot disallow the use of setuid programs, then you should at least restrict their use. Secure administration requires few setuid programs.

Previous: Preventing Unintentional Misuse of Machine Resources
Next: Using the Automated Security Enhancement Tool (ASET)