Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.3

Exit Print View

Updated: October 2017

How to Find Files With Special File Permissions

This procedure locates potentially unauthorized use of the setuid and setgid permissions on programs. A suspicious executable file grants ownership to a user rather than to root or bin.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Find files with setuid permissions by using the find command.
    # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
    find directory

    Checks all mounted paths starting at the specified directory, which can be root (/), /usr, /opt, and so on.

    –user root

    Displays files owned only by root.

    –perm –4000

    Displays files only with permissions set to 4000.

    –exec ls –ldb

    Displays the output of the find command in ls -ldb format. See the ls(1) man page.


    Is the file that contains the results of the find command.

    For more information, see the find(1) man page.

  2. Display the results in /tmp/filename.
    # more /tmp/filename

    For background information, see setuid Permission.

Example 6  Finding Files With setuid Permissions

The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/rlogin, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/rlogin program runs with root permissions.

After investigating the /usr/rar directory and removing the /usr/rar/bin/rlogin command, the administrator archives the output from the find command.

# find /usr -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-rwsr-xr-x  1 root   sys   32432  Jul 14 14:14  /usr/bin/atq
-rwsr-xr-x  1 root   sys   32664  Jul 14 14:14  /usr/bin/atrm
-rwsr-xr-x  1 root   bin   82836  Jul 14 14:14  /usr/bin/cdrw
-r-sr-xr-x  1 root   sys   41448  Jul 14 14:14  /usr/bin/chkey
-r-sr-xr-x  1 root   bin    7968  Jul 14 14:14  /usr/bin/mailq
-r-sr-sr-x  1 root   sys   45364  Jul 14 14:14  /usr/bin/passwd
-rwsr-xr-x  1 root   bin   37740  Jul 14 14:14  /usr/bin/pfedit
-r-sr-xr-x  1 root   bin   51472  Jul 14 14:14  /usr/bin/rcp
---s--x---  1 root   rar   41592  Jul 24 16:14  /usr/rar/bin/rlogin
-r-s--x--x  1 root   bin  213092  Jul 14 14:14  /usr/bin/sudo
-r-sr-xr-x  4 root   bin   24056  Jul 14 14:14  /usr/bin/uptime
-r-sr-xr-x  1 root   bin   79540  Jul 14 14:14  /usr/bin/xlock
# mv /var/tmp/ckprm /var/share/sysreports/ckprm