Securing Files and Verifying File Integrity in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

How to Find Files With Special File Permissions

This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Find files with setuid permissions by using the find command.
    # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
    find directory

    Checks all mounted paths starting at the specified directory, which can be root (/), /usr, /opt, and so on.

    –user root

    Displays files owned only by root.

    –perm –4000

    Displays files only with permissions set to 4000.

    –exec ls –ldb

    Displays the output of the find command in ls -ldb format. See the ls(1) man page.

    /tmp/filename

    Is the file that contains the results of the find command.

    For more information, see the find(1).

  2. Display the results in /tmp/filename.
    # more /tmp/filename

    For background information, see setuid Permission.

Example 1-6  Finding Files With setuid Permissions

The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/rlogin, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/rlogin program runs with root permissions.

After investigating the /usr/rar directory and removing the /usr/rar/bin/rlogin command, the administrator archives the output from the find command.

# find /usr -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-rwsr-xr-x  1 root   sys   28000  Jul 14 14:14  /usr/bin/atq
-rwsr-xr-x  1 root   sys   32364  Jul 14 14:14  /usr/bin/atrm
-r-sr-xr-x  1 root   sys   41432  Jul 14 14:14  /usr/bin/chkey
-rwsr-xr-x  1 root   bin   82804  Jul 14 14:14  /usr/bin/cdrw
-r-sr-xr-x  1 root   bin    8008  Jul 14 14:14  /usr/bin/mailq
-r-sr-sr-x  1 root   sys   45348  Jul 14 14:14  /usr/bin/passwd
-rwsr-xr-x  1 root   bin   37724  Jul 14 14:14  /usr/bin/pfedit
-r-sr-xr-x  1 root   bin   51440  Jul 14 14:14  /usr/bin/rcp
---s--x---  1 root   rar   41592  Jul 24 16:14  /usr/rar/bin/rlogin
-r-s--x--x  1 root   bin  166908  Jul 14 14:14  /usr/bin/sudo
-r-sr-xr-x  4 root   bin   24024  Jul 14 14:14  /usr/bin/uptime
-r-sr-xr-x  1 root   bin   79488  Jul 14 14:14  /usr/bin/xlock
# mv /var/tmp/ckprm /var/share/sysreports/ckprm