setuid means set user ID upon execution. If setuid bit turned on a file, user executing that executable file gets the permissions of the individual or group that owns the file. You need to use the ls -l or find command to see setuid programs. All setuid programs displays S or s in the permission bit (owner-execute) of the ls command. Type the following command:
ls -l /usr/bin/passwd |
Sample outputs:
-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd
How Do I List All setuid Enabled Files?
The following command discovers and prints any setuid files on local system:
# find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l
The s bit can be removed with the following command:
# chmod -s /path/to/file
Setuid Programs Risk
A attacker can exploit setuid binaries using a shell script or by providing false data. Users normally should not have setuid programs installed, especially setuid to users other than themselves. For example, you should not find setuid enabled binary for root under /home/vivek/crack. These are usually Trojan Horses kind of programs.
Example
In this example, user vivek run the command called “/usr/bin/vi /shared/financialdata.txt”, and the permission on the vi command and the file /shared/financialdata.txt are as follows:
-rwxr-xr-x 1 root root 1871960 2009-09-21 16:57 /usr/bin/vi -rw------- 1 root root 3960 2009-09-21 16:57 /shared/financialdata.txt
Vivek has permission to run /usr/bin/vi, but not permission to read /shared/financialdata.txt. So when vi attempts to read the file a “permission denied” error message will be displayed to vivek. However, if you set the SUID bit on the vi:
chmod u+s /usr/bin/vi ls -l /usr/bin/vi |
Now, when vivek runs this SUID program, the access to /shared/financialdata.txt is granted. How does it work? The UNIX system doesn’t think vivek is reading file via vi, it thinks “root” is the user and hence the access is granted.
How Do I Audit And Log setuid System Call Under Linux For Each setuid Binary?
auditd can be used for system auditing under Linux. It can log and audit setuid system call. Edit /etc/audit/audit.rules:
# vi /etc/audit/audit.rules
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Run the following command to get setuid enabled binary from /bin and add them as above:
# find /bin -type f -perm -04000
Save and close the file. Restart auditd:
# service auditd restart
Use aureport command to view audit reports:
# aureport --key --summary
# ausearch --key access --raw | aureport --file --summary
# ausearch --key access --raw | aureport -x --summary
# ausearch --key access --file /bin/mount --raw | aureport --user --summary -i
A Passionate Techie 