14 How do I find all setuid and setgid files?
Description
This article is from the comp.security.unix and comp.security.misc FAQ, by Alan J Rosenthal flaps@dgp.toronto.edu with numerous contributions by others.
14 How do I find all setuid and setgid files?
find / -local -type f \( -perm -4000 -o -perm -2000 \) -print
or to do an "ls -l" of them:
find / -local -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;
You may want to add the "-u" option to ls to see last-accessed times rather
than last-modified times (esp to help gauge how harmful it would be to
unsetuid the file).
Some versions of "find" don't have the "-local" option. Its purpose is to
avoid searching nfs volumes. If you don't have any nfs mounts, you can omit
the "-local". If you do, here are some other possibilities:
* On some systems you can do something like
find / -fstype nfs -prune -o -type f \( -perm -4000 ...
* Some systems have "-xdev" or "-mount", which prevent find from
traversing mounts. But then you have to run it for each local
filesystem separately.
* Do the check with nfs filesystems unmounted (e.g. single-user mode).
* As an alternative to find, "ncheck -s" will tell you all setuid and
setgid files, plus all device files (which is something of equal
interest, although usually much less problematic in OS distributions).
It too must be run separately for each filesystem.
Please note that this is insufficient if you suspect backdoors have been
installed on your system. The backdoor installation activity could have
included modifying the "find" command. The purpose of the above is to find
locally-installed or vendor-supplied security bugs waiting to happen, not to
find backdoors.
Also note that on some systems, "-local" doesn't do what you'd think, because
it still traverses the entire remote filesystem, and rejects all nodes in it
as non-local. In this case you want "! -local -prune -o", i.e. if not local
prune the search, else ... .
Continue to:
My Books
