What does it mean for a file to be “setuid?” How do keep track of all setuid enabled file?
setuid means set user ID upon execution. If setuid bit turned on a file, user executing that executable file gets the permissions of the individual or group that owns the file. You need to use the ls -l or find command to see setuid programs. All setuid programs displays S or s in the permission bit (owner-execute) of the ls command. Type the following command:
ls -l /usr/bin/passwd
Sample outputs:
-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd
How Do I List All setuid Enabled Files?
The following command discovers and prints any setuid files on local system:
# find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l
-rwsr-xr-x 1 root root 27256 2010-01-29 00:02 /bin/fusermount -rwsr-xr-x 1 root root 78096 2009-10-23 09:58 /bin/mount -rwsr-xr-x 1 root root 35600 2009-05-12 03:13 /bin/ping -rwsr-xr-x 1 root root 31368 2009-05-12 03:13 /bin/ping6 -rwsr-xr-x 1 root root 36864 2009-07-31 19:29 /bin/su -rwsr-xr-x 1 root root 56616 2009-10-23 09:58 /bin/umount -rwsr-xr-x 1 root root 578776 2009-10-30 17:51 /etc/thnuclnt/.thnumod -rwsr-xr-- 1 root messagebus 47520 2009-10-24 09:00 /lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 13304 2010-02-15 14:03 /opt/google/chrome/chrome-sandbox -rwsr-xr-x 1 root root 14720 2009-10-23 10:36 /sbin/mount.ecryptfs_private -rwsr-xr-x 1 root root 14640 2009-05-12 03:13 /usr/bin/arping -rwsr-sr-x 1 daemon daemon 52112 2009-09-16 03:59 /usr/bin/at -rwsr-xr-x 1 root root 41864 2009-07-31 19:29 /usr/bin/chfn -rwsr-xr-x 1 root root 37128 2009-07-31 19:29 /usr/bin/chsh -rwsr-xr-x 1 root root 59752 2009-07-31 19:29 /usr/bin/gpasswd -rwsr-xr-x 1 root lpadmin 14256 2010-01-28 17:28 /usr/bin/lppasswd -rwsr-xr-x 1 root root 62368 2008-11-05 18:54 /usr/bin/mtr -rwsr-xr-x 1 root root 32384 2009-07-31 19:29 /usr/bin/newgrp -rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd -rwsr-xr-x 1 root root 14880 2009-10-16 17:13 /usr/bin/pkexec -rwsr-xr-x 1 root root 852296 2009-05-23 06:01 /usr/bin/schroot -rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudo -rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudoedit -rwsr-xr-x 1 root root 18848 2009-05-12 03:13 /usr/bin/traceroute6.iputils -rwsr-xr-x 1 root root 858000 2009-10-30 17:51 /usr/bin/vmware-mount -rwsr-sr-x 1 root root 10536 2009-11-10 16:18 /usr/bin/X -rwsr-xr-x 1 root root 724784 2009-10-30 17:51 /usr/lib/cups/filter/thnucups -rwsr-xr-x 1 root root 10392 2009-04-29 06:09 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 197320 2009-10-23 01:28 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 14712 2009-10-16 17:13 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 10360 2010-01-03 17:33 /usr/lib/pt_chown -rwsr-sr-x 1 root root 22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxHeadless -rwsr-sr-x 1 root root 10536 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetAdpCtl -rwsr-sr-x 1 root root 22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetDHCP -rwsr-sr-x 1 root root 22920 2009-10-15 10:44 /usr/lib/virtualbox/VBoxSDL -rwsr-sr-x 1 root root 27024 2009-10-15 10:44 /usr/lib/virtualbox/VirtualBox -rwsr-xr-x 1 root root 9666976 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx -rwsr-xr-x 1 root root 11605432 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-debug -rwsr-xr-x 1 root root 10192912 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-stats -rwsr-xr-- 1 root dip 321600 2009-02-20 23:56 /usr/sbin/pppd -rwsr-sr-x 1 libuuid libuuid 18888 2009-10-23 09:58 /usr/sbin/uuidd -rwsr-xr-x 1 root root 898112 2009-10-30 17:51 /usr/sbin/vmware-authd
The s bit can be removed with the following command:
# chmod -s /path/to/file
Setuid Programs Risk
A attacker can exploit setuid binaries using a shell script or by providing false data. Users normally should not have setuid programs installed, especially setuid to users other than themselves. For example, you should not find setuid enabled binary for root under /home/vivek/crack. These are usually Trojan Horses kind of programs.
Example
In this example, user vivek run the command called “/usr/bin/vi /shared/financialdata.txt”, and the permission on the vi command and the file /shared/financialdata.txt are as follows:
-rwxr-xr-x 1 root root 1871960 2009-09-21 16:57 /usr/bin/vi -rw------- 1 root root 3960 2009-09-21 16:57 /shared/financialdata.txt
Vivek has permission to run /usr/bin/vi, but not permission to read /shared/financialdata.txt. So when vi attempts to read the file a “permission denied” error message will be displayed to vivek. However, if you set the SUID bit on the vi:
chmod u+s /usr/bin/vi ls -l /usr/bin/vi
Now, when vivek runs this SUID program, the access to /shared/financialdata.txt is granted. How does it work? The UNIX system doesn’t think vivek is reading file via vi, it thinks “root” is the user and hence the access is granted.
How Do I Audit And Log setuid System Call Under Linux For Each setuid Binary?
auditd can be used for system auditing under Linux. It can log and audit setuid system call. Edit /etc/audit/audit.rules:
# vi /etc/audit/audit.rules
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
Run the following command to get setuid enabled binary from /bin and add them as above:
# find /bin -type f -perm -04000
Save and close the file. Restart auditd:
# service auditd restart
Use aureport command to view audit reports:
# aureport --key --summary
# ausearch --key access --raw | aureport --file --summary
# ausearch --key access --raw | aureport -x --summary
# ausearch --key access --file /bin/mount --raw | aureport --user --summary -i
See Linux audit files to see who made changes to a file.
References:
- man page – chmod, auditd and ls command.
- Setuid Demystified
🐧 8 comments so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
nice tutorial..
thanks..
Great write up. Thanks a bunch.
This article just saved couple of my days works. i accidentally chown /usr which turns out to remove the setuid bit on couple of file. the list of file makes my computer works again. Thx
Hello,
I have a following situation…
File named “exe” is a shell that I want to execute and which will change content of the file named “file”…
————-
-r-sr-xr-x 1 testuser testuser 55 Jan 2 16:33 exe
-rw——- 1 testuser testuser 347 Jan 2 17:37 file
————-
I’m trying to execute “exe” as another user (not the testuser which is the owner) but I always get the error: ./exe: line 3: file: Permission denied
The content of the “exe” folows:
————-
#!/bin/sh
X=`date`;
echo “$X | Hello World” >> file
————-
I’m I missing something? What’s wrong here?
@dr.ubisha:
You have to add execution permission to your exe file. That means, you have to write the command:
chmod +x exe
If that is done, you can start your exe ;-)
It would be “S” if the didn’t have executable permission, Since it has executable permission the exe file has “s” . The problem is with the Concatenation Operator >> ..
It seems to me that there is an issue with this solution: It only tracks explicitly defined files for a change in suid/sgid status. In other words, it will only tell you when a file that you expressly tell auditd to track has been altered. More often than not what someone will want is to keep track of any file that has been altered to have the suid/sgid bit set when it did not before.
-rwxrwxr-xr-x. 1 root root 2 jan 22 2015 view -> vi
can anyone explain to me what this means? thanks