This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
# find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
Checks all mounted paths starting at the specified directory, which can be root (/), /usr, /opt, and so on.
Displays files owned only by root.
Displays files only with permissions set to 4000.
Displays the output of the find command in ls -ldb format. See the ls(1) man page.
Is the file that contains the results of the find command.
For more information, see the find(1).
# more /tmp/filename
For background information, see setuid Permission.
The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/rlogin, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/rlogin program runs with root permissions.
After investigating the /usr/rar directory and removing the /usr/rar/bin/rlogin command, the administrator archives the output from the find command.
# find /usr -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm # cat /var/tmp/ckprm -rwsr-xr-x 1 root sys 28000 Jul 14 14:14 /usr/bin/atq -rwsr-xr-x 1 root sys 32364 Jul 14 14:14 /usr/bin/atrm -r-sr-xr-x 1 root sys 41432 Jul 14 14:14 /usr/bin/chkey -rwsr-xr-x 1 root bin 82804 Jul 14 14:14 /usr/bin/cdrw -r-sr-xr-x 1 root bin 8008 Jul 14 14:14 /usr/bin/mailq -r-sr-sr-x 1 root sys 45348 Jul 14 14:14 /usr/bin/passwd -rwsr-xr-x 1 root bin 37724 Jul 14 14:14 /usr/bin/pfedit -r-sr-xr-x 1 root bin 51440 Jul 14 14:14 /usr/bin/rcp ---s--x--- 1 root rar 41592 Jul 24 16:14 /usr/rar/bin/rlogin -r-s--x--x 1 root bin 166908 Jul 14 14:14 /usr/bin/sudo -r-sr-xr-x 4 root bin 24024 Jul 14 14:14 /usr/bin/uptime -r-sr-xr-x 1 root bin 79488 Jul 14 14:14 /usr/bin/xlock # mv /var/tmp/ckprm /var/share/sysreports/ckprm