Securing Files and Verifying File Integrity in Oracle^® Solaris 11.3

How to Find Files With Special File Permissions

This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. Find files with setuid permissions by using the find command.

   # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename

   find directory

   Checks all mounted paths starting at the specified directory, which can be root (/), /usr, /opt, and so on.

   –user root

   Displays files owned only by root.

   –perm –4000

   Displays files only with permissions set to 4000.

   –exec ls –ldb

   Displays the output of the find command in ls -ldb format. See the ls(1) man page.

   /tmp/filename

   Is the file that contains the results of the find command.

   For more information, see the find(1) man page.

2. Display the results in /tmp/filename.

   # more /tmp/filename

   For background information, see setuid Permission.

Example 6  Finding Files With setuid Permissions

The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/rlogin, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/rlogin program runs with root permissions.

After investigating the /usr/rar directory and removing the /usr/rar/bin/rlogin command, the administrator archives the output from the find command.

# find /usr -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-rwsr-xr-x  1 root   sys   32432  Jul 14 14:14  /usr/bin/atq
-rwsr-xr-x  1 root   sys   32664  Jul 14 14:14  /usr/bin/atrm
-rwsr-xr-x  1 root   bin   82836  Jul 14 14:14  /usr/bin/cdrw
-r-sr-xr-x  1 root   sys   41448  Jul 14 14:14  /usr/bin/chkey
-r-sr-xr-x  1 root   bin    7968  Jul 14 14:14  /usr/bin/mailq
-r-sr-sr-x  1 root   sys   45364  Jul 14 14:14  /usr/bin/passwd
-rwsr-xr-x  1 root   bin   37740  Jul 14 14:14  /usr/bin/pfedit
-r-sr-xr-x  1 root   bin   51472  Jul 14 14:14  /usr/bin/rcp
---s--x---  1 root   rar   41592  Jul 24 16:14  /usr/rar/bin/rlogin
-r-s--x--x  1 root   bin  213092  Jul 14 14:14  /usr/bin/sudo
-r-sr-xr-x  4 root   bin   24056  Jul 14 14:14  /usr/bin/uptime
-r-sr-xr-x  1 root   bin   79540  Jul 14 14:14  /usr/bin/xlock
# mv /var/tmp/ckprm /var/share/sysreports/ckprm