12.2. Shutting SUID and SGID Doors

If you are an administrator or a security specialist, you should know your system inside and out. You already know that one of the potential security problems is SUID or SGID bits. You have to clear these bits for all programs that you are not using. But how can you find programs that have these bits set? Use the following command:

 find / \( -perm -02000 -o -perm -04000 \) -ls

This command will find all files that have 02000 or 04000 rights, which corresponds to the SUID or SGID bits set. The following is an example of the command's execution:

 130337  64 -rwsr-xr-x   1 root root   60104  Jul  29 2002 /bin/mount 130338  32 -rwsr-xr-x   1 root root   30664  Jul  29 2002 /bin/umount 130341  36 -rwsr-xr-x   1 root root   35040  Jul  19 2002 /bin/ping 130365  20 -rwsr-xr-x   1 root root   19072  Jul  10 2002 /bin/su ...

The most dangerous thing security-wise in this list is that all of the programs have root permissions and can be executed by a user or a group member. There are programs with SUID and SGID bits set that belong to other users in the system, but most have the root ownership.

If you do not use a program, either delete it or clear the bits. If you think that there are no unnecessary programs in your system, think again. Perhaps, there is something you can do without. For example, if a program is not a must for a server, its SUID bit can be cleared.

If, after the initial paring, there are still many privileged programs left, I recommend clearing the bits for all programs. This will make it impossible for users to mount devices or change their passwords. But do they need these services? If some of them need some of these services, you can always give them these by resetting the SUID bit.

You can also change programs' ownerships to less privileged accounts. Even though this is difficult to implement, because you will have to change quite a few permissions, you will sleep better at night.

Why is it so important to regularly check files for SUID or SGID bits set? Because after penetrating a system, hackers often try to fortify their positions in it to remain invisible yet retain maximum privileges. The easiest way of achieving this is setting the SUID bit on the bash command interpreter. This will result in the interpreter executing any user's commands with the root rights, meaning that the hackers can have guest rights but perform operations requiring root privileges that is, anything they may feel like.