• What is SGID?

  SGID stands for set group id. When looking at files SGID they behave much the same as SUID files, and must be executable for it to have any effect. The SGID bit on a directory means files created in that directory will have their group set to the directory's group.

  • File permissions for SGID enabled files: -r-xr-sr-x
  • File permissions for SGID enabled directories: dr-xr-sr-x
    
     
  • Examples of SGID root programs:
    • write - write to another user (tty group)
    • slocate - linux program to find programs (slocate group)
    
     
  • NOTE: Better to make a program SGID than SUID since fewer rights are granted by group membership opposed to user.

for part in \  
    `awk '($4 == "ufs") {print $3 }' /etc/vfstab` 
do  
    find $part \( -perm -04000 -o -perm -02000\) \ 
        -type f -xdev -print 
done

Checksuid () {

	if [ -x /usr/sbin/ncheck ]; then
	current_suid=`/usr/sbin/ncheck -F ufs -s |wc -l`
	known_suid=276
	if [ ${known_suid} != ${current_suid} ]; then
                echo "Current listing of SUID files does not match the known listing - FAILS CHECK"
               echo "   "
		 exit 1
		else
		echo " Current SUID listing equals known listing - PASSES CHECK"
	fi
	fi
}

News

Gentoo Linux Documentation -- File Permissions

6.b. World/Group writable Code Listing 1: Finding world-writable files and directories # /usr/bin/find / -type f \( -perm -2 -o -perm -20 \) \ -exec ls -lg {} \; 2>/dev/null >writable.txt # /usr/bin/find / -type d \( -perm -2 -o -perm -20 \) \ -exec ls -ldg {} \; 2>/dev/null >>writable.txt This will create a huge file with permission of all files having either write permission set to the group or everybody. Check the permissions and eliminate world writable files to everyone, by executing /bin/chmod o-w on the files. 6.c. SUID/SGID files Files with the SUID or SGID bit set execute with privileges of the owning user or group and not the user executing the file. Normally these bits are used on files that must run as root in order to do what they do. These files can lead to local root compromises (if they contain security holes). This is dangerous and files with the SUID or SGID bits set should be avoided at any cost. If you do not use these files, use chmod 0 on them or unmerge the package that they came from (check which package they belong to by using equery; if you do not already have it installed simply type emerge gentoolkit). Otherwise just turn the SUID bit off with chmod -s. Code Listing 2: Finding setuid files # /usr/bin/find / -type f \( -perm -004000 -o -perm -002000 \) \ -exec ls -lg {} \; 2>/dev/null >suidfiles.txt This will create a file containing a list of all the SUID/SGID files.

To find all SGID files:
find / -xdev -type f -perm +g=s -print

To find all SUID files
find / -xdev -type f -perm +u=s -print

To find all Writable dirs:
find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print

World writable files problem

You can use the find command to search for files that are group writable by a particular group, and to print a list of these files. For example, to search for all files that are writable by the group user, you might specify a command in the following form:

# find / -perm -020 -group user \!   
\( -type l -o -type p -o -type s \) -ls

If you have NFS, be sure to use the longer version of the command:

# find / \( -local -o -prune \) -perm -002 -group user \!   
\( -type l -o -type p -o -type s \) -ls

A more security-conscious site can further generalize this rule:

Files that begin with a period should not be readable or writable by anyone other than the file's owner and group  (that is, they should be mode 620).

Use the following form of the find command to search for all files beginning with a period in the /u filesystem that are either group writable or world writable:

# find /u -perm -2 -o -perm -20 -name .\* -ls

NOTE: As noted earlier, if you're using NFS, be sure to add the -local or -xdev option to each of the find commands above and run them on each of your servers, or use the fstype/prune options.

Shell script to find all world-writable files and directories on Linux or FreeBSD system

#!/bin/bash
# Shell script to find all world-writable files and directories on Linux or
# FreeBSD system
#
# TIP:
# Set 'umask 002' so that new files created will not be world-writable
# And use command 'chmod o-w filename' to disable world-wriable file bit
#
# Copyright (c) 2005 nixCraft project
# This script is licensed under GNU GPL version 2.0 or above
# For more info, please visit:
#            http://cyberciti.biz/shell_scripting/bmsinstall.php
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------
SPATH="/usr/local/etc/bashmonscripts"
INITBMS="$SPATH/defaults.conf"
[ ! -f $INITBMS ] && exit 1 || . $INITBMS

[ $# -eq 1 ] && : || die "Usage: $($BASENAME $0) directory" 1

DIRNAME="$1"
$FIND $DIRNAME -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print
 

find / -perm -2 -a ! -type l /* Find files writable by 'others' */

2005-04-12

find / -perm -0777 -type d -ls /* Find all your writable directories */

2005-03-22

 

Hidden Files

In Unix, "hidden" files are ones with a leading dot, e.g. ".ssh". These don't show up in a normal directory listing (ls), but do with the "all" option (ls -a). Usually, these are used to hide things like login scripts and control files to prevent one's home directory appearing cluttered, but may be used by intruders to hide files.

Normal Unix commands such as find and ls may be used to locate such files, e.g.

find /usr -name '.*' -type d -print

to find "hidden" files and directories. find may also be used to search by modification time, e.g.

find /bin -ctime -365 -print

will find anything changed in the last year, similarly for /sbin /usr/kvm /usr/local/bin etc.

In Win95, hidden files are also possible; BackOrifice uses this technique to hide, using a blank icon and blank prefix, ".exe" does not show up in a icon-based directory.

suid programs

suid root programs are an especial concern, since they execute with root privilege. If such a program can be fooled into executing an arbitrary command, perhaps by a buffer-overrun exploit, it can be used to create new user IDs or open network holes. On some systems (gnu) find may be used to locate these programs, e.g.

find /bin -perm +6000 -print

or perhaps

find /bin -perm +6000 -exec ls -lg {} \;

On systems where find does not support the perm option, ls may be used, e.g.

ls -latg /usr/bin/* /sbin/* /usr/sbin/* /usr/local/bin/* | grep '^...s'

The point here is to find system files that appear to have been modified since the system was installed, or unauthorized programs, such as an suid shell (which executes a user's every command with root privilege).

Precautions

Non-system disk volumes should be mounted nosuid. This is a special concern for Linux users who may have obsolete live systems mounted on CD-ROM.

Data disks may be mounted noexec. This means that files in these directories cannot be executed.

Linux users may use the ext2fs utility chattr to make system directories or files "immutable", or create append-only logfiles. An intruder would first have to gain root, then change the filesystem attributes, before creating a file.

Up to Security Page

A.Daviel
andrew@vancouver-webpages.com

• Casper Dik wrote a tool consiting of a set of scripts which modifies file permissions in an effort to make things more secure. The tool removes group and world write permissions of all files, devices, and directories listed in /var/sadm/install/contents, with the exception of those files listed in exceptions.h, and changes ownership of most files to root.
  
  NOTE: the script has been tested under Solaris 2.2-8 Operating Environment and will purposely fail on other releases. Casper Dik works for Sun in Holland, but the tool is not officially recognized by Sun so it is distributed from Casper's personal account.
  
   
• An advantage in using fix-modes is it creates an audit trail and the changes can be undone which is important if you are embarking on an upgrade.
  
   
• The fix-modes tar-bundle comes with a README with installation instructions.
  
   

• Download fix-modes
   
• Alternate download from CERIAS for fix-modes
• There is a Sun BluePrints[tm] paper discussing fix-modes.
  • Sun BluePrints[tm] Program
     
• Fix-modes is incorporated in JumpStart[tm] Architecture and Security Scripts (JASS) toolkit.
  • Solaris Security Toolkit (JASS)
  • Sun Blueprint for JASS
     
• Fix-modes is also part of the Titan OS hardening tool.
• University of Waterloo also has some Bourne Shell scripts for Solaris 2.6, Solaris 7 and Solaris 8 Setuid/Setgid in addition to other Security: How to Documents"
   
  • Solaris 2.6 Setuid/Setgid files
     
  • Solaris 7 Setuid/Setgid files
     
  • Solaris 8 Setuid/Setgid files