This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
# find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
Checks all mounted paths starting at the specified directory, which can be root (/), /usr, /opt, and so on.
Displays files owned only by root.
Displays files only with permissions set to 4000.
Displays the output of the find command in ls -ldb format. See the ls(1) man page.
Is the file that contains the results of the find command.
For more information, see the find(1) man page.
# more /tmp/filename
For background information, see setuid Permission.
The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/rlogin, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/rlogin program runs with root permissions.
After investigating the /usr/rar directory and removing the /usr/rar/bin/rlogin command, the administrator archives the output from the find command.
# find /usr -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm # cat /var/tmp/ckprm -rwsr-xr-x 1 root sys 32432 Jul 14 14:14 /usr/bin/atq -rwsr-xr-x 1 root sys 32664 Jul 14 14:14 /usr/bin/atrm -rwsr-xr-x 1 root bin 82836 Jul 14 14:14 /usr/bin/cdrw -r-sr-xr-x 1 root sys 41448 Jul 14 14:14 /usr/bin/chkey -r-sr-xr-x 1 root bin 7968 Jul 14 14:14 /usr/bin/mailq -r-sr-sr-x 1 root sys 45364 Jul 14 14:14 /usr/bin/passwd -rwsr-xr-x 1 root bin 37740 Jul 14 14:14 /usr/bin/pfedit -r-sr-xr-x 1 root bin 51472 Jul 14 14:14 /usr/bin/rcp ---s--x--- 1 root rar 41592 Jul 24 16:14 /usr/rar/bin/rlogin -r-s--x--x 1 root bin 213092 Jul 14 14:14 /usr/bin/sudo -r-sr-xr-x 4 root bin 24056 Jul 14 14:14 /usr/bin/uptime -r-sr-xr-x 1 root bin 79540 Jul 14 14:14 /usr/bin/xlock # mv /var/tmp/ckprm /var/share/sysreports/ckprm