Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

How to Find Files With Special File Permissions

This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Find files with setuid permissions by using the find command.
    # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
    find directory

    Checks all mounted paths starting at the specified directory, which can be root (/), /usr, /opt, and so on.

    –user root

    Displays files owned only by root.

    –perm –4000

    Displays files only with permissions set to 4000.

    –exec ls –ldb

    Displays the output of the find command in ls -ldb format. See the ls(1) man page.

    /tmp/filename

    Is the file that contains the results of the find command.

    For more information, see the find(1) man page.

  2. Display the results in /tmp/filename.
    # more /tmp/filename

    For background information, see setuid Permission.

Example 6  Finding Files With setuid Permissions

The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/pfedit, and has set the permissions as setuid to root. As a result, the /usr/rar/pfedit program runs with root permissions.

After investigating the /usr/rar directory and removing the /usr/rar/bin/pfedit command, the administrator archives the output from the find command.

# find /usr -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-rwsr-xr-x  1 root   sys   47K  Jul 14 14:14  /usr/bin/atq
-rwsr-xr-x  1 root   sys   54K  Jul 14 14:14  /usr/bin/atrm
-rwsr-xr-x  1 root   bin  145K  Jul 14 14:14  /usr/bin/cdrw
-r-x--s--x  1 root   bin  149K  Jul 14 14:14  /usr/bin/mail
-r-sr-sr-x  1 root   sys   62K  Jul 14 14:14  /usr/bin/passwd
-rwsr-xr-x  1 root   rar   58K  Jul 24 14:14  /usr/rar/pfedit
-r-s--x--x  1 root   bin  208K  Jul 14 14:14  /usr/bin/sudo
-r-sr-xr-x  2 root   bin   26K  Jul 14 14:14  /usr/bin/uptime
# mv /var/tmp/ckprm /var/share/sysreports/ckprm