topic Re: Set UID Programs in Operating System - HP-UX

Set UID Programs

Keith Meloy_1 — Thu, 23 Jan 2003 11:00:37 GMT

I have been asked by auditors to prove that none of my users can write to files containing programs owned by root and run in set uid mode. Does anyone know an easy way to check this?
Cheers

Keith

Re: Set UID Programs

Pete Randall — Thu, 23 Jan 2003 11:12:29 GMT

Send the auditors to Unix Fundamentals 101?

;^)

Pete

Re: Set UID Programs

John Palmer — Thu, 23 Jan 2003 11:32:02 GMT

find / -perm -4000 -type f -user root -exec ls -l {} \;

will give you a list of all root setuid programs. You can then check the permissions to see if any have write permissions that they shouldn't have.

Regards,
John

Re: Set UID Programs

James R. Ferguson — Thu, 23 Jan 2003 11:48:03 GMT

Hi Keith:

# find / -type f -user 0 -perm -u+s -a $ -perm -u+w -o -perm -g+w -o -perm -o+w $ -exec ls -l {} \;

...will find all files (-type f) where the owner is root (-user 0) with the setuid bit on AND (-a) with write permissions on either the owner OR (-o) the group OR the world. For any files found, an 'ls' listing will be output.

See the 'find' and 'chmod' man pages for more information.

Regards!

...JRF...

Re: Set UID Programs

Rajesh G. Ghone — Thu, 23 Jan 2003 14:08:15 GMT

Hi Keith,

You can give umask & check the umask permissions if it is 777 then it has got write permissions to the others also if u want to change the umask settings either you can edit /sbin/init.d/inetd file & change the umask to 022 or u can give umask 022 in /etc/profile file so that whatever files u will be creating now it will be with 722 permissions & the others & group wont have write permissions.
As far uid is concern i think you can check /etc/passwd for user id's.I hope this solves your problem.

Regards,
Rajesh G.

Re: Set UID Programs

doug hosking — Fri, 24 Jan 2003 21:21:21 GMT

I think the problem is likely simpler than is being discussed. Writing to a setuid file by a user other than root clears the setuid bit as a side effect of the write,
which removes this threat. Example:

# touch foo
# chmod 4777 foo
# ll foo
-rwsrwxrwx 1 root sys 0 Jan 24 14:00 foo
# echo foobar >> foo
# ll foo
-rwsrwxrwx 1 root sys 7 Jan 24 14:00 foo
# su bin
$ echo foobar >> foo
$ ll foo
-rwxrwxrwx 1 root sys 14 Jan 24 14:01 foo
$

Note that the setuid bit is now cleared even though nobody did a chmod of the file after
the su.