Searching for Files That Make You root

Searching for Files That Make You root

If root owns a file, and that file has the setuid bit set, then when that file is executed it runs with the power of root, regardless of who runs it (review Chapter 8, "Working with Permissions and Ownership"). If a setuid root file has its permissions set so that anyone can execute it (known to programmers as world executable ), then anyone on the system can run the file and perhaps use it to obtain root access.

Some world-executable commands are intentionally " setuid root" because they need to access parts of the system normally available only to root. The lsof program is one example. These programs are (hopefully) carefully written to prevent anyone from using them to create a new shell or to execute other commands.

You can use the find command to search your entire system for setuid root files.

As of Mac OS X version 10.4, there are dozens of world-executable setuid root programs on the system.

A good security practice would be to create a list of all the setuid root programs on your machine, save it somewhere safe (such as on a CD), and periodically compare the saved list with a newly generated version. If you found any new programs on the list, you would want to check with Apple to see if they were really supposed to be there.

This is obviously a time-consuming and annoying process, which is true of most security tasks .

To search for setuid root files:

  • sudo find / -type f - user root -perm

    -4000

    The command must be run as root in order to read every file on the system, hence the sudo (see Chapter 11 for more on sudo and Chapter 4, "Useful Unix Utilities," for more on find ). The find command is being told to search starting at / for files ( -type f ) owned by root ( -user root ) that have the setuid bit set ( -perm -4000 ).

Tip

  • The command will take a while to finish, since it has to look at every file on your system. You might want to pipe the results into e-mail and put it in the background by adding the following to the end of the command line:

    mail youremailaddress &




Unix for Mac OS X 10. 4 Tiger. Visual QuickPro Guide
Unix for Mac OS X 10.4 Tiger: Visual QuickPro Guide (2nd Edition)
ISBN: 0321246683
EAN: 2147483647
Year: 2004
Pages: 161
Authors: Matisse Enzer

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net