setuid means set user ID upon execution. If setuid bit turned on a file, user executing that executable file gets the permissions of the individual or group that owns the file. You need to use the ls -l or find command to see setuid programs. All setuid programs displays S or s in the permission bit (owner-execute) of the ls command. Type the following command:
ls -l /usr/bin/passwdSample outputs:
-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwdHow Do I List All setuid Enabled Files?
The following command discovers and prints any setuid files on local system:# find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l-rwsr-xr-x 1 root root 27256 2010-01-29 00:02 /bin/fusermountThe s bit can be removed with the following command:
-rwsr-xr-x 1 root root 78096 2009-10-23 09:58 /bin/mount
-rwsr-xr-x 1 root root 35600 2009-05-12 03:13 /bin/ping
-rwsr-xr-x 1 root root 31368 2009-05-12 03:13 /bin/ping6
-rwsr-xr-x 1 root root 36864 2009-07-31 19:29 /bin/su
-rwsr-xr-x 1 root root 56616 2009-10-23 09:58 /bin/umount
-rwsr-xr-x 1 root root 578776 2009-10-30 17:51 /etc/thnuclnt/.thnumod
-rwsr-xr-- 1 root messagebus 47520 2009-10-24 09:00 /lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 13304 2010-02-15 14:03 /opt/google/chrome/chrome-sandbox
-rwsr-xr-x 1 root root 14720 2009-10-23 10:36 /sbin/mount.ecryptfs_private
-rwsr-xr-x 1 root root 14640 2009-05-12 03:13 /usr/bin/arping
-rwsr-sr-x 1 daemon daemon 52112 2009-09-16 03:59 /usr/bin/at
-rwsr-xr-x 1 root root 41864 2009-07-31 19:29 /usr/bin/chfn
-rwsr-xr-x 1 root root 37128 2009-07-31 19:29 /usr/bin/chsh
-rwsr-xr-x 1 root root 59752 2009-07-31 19:29 /usr/bin/gpasswd
-rwsr-xr-x 1 root lpadmin 14256 2010-01-28 17:28 /usr/bin/lppasswd
-rwsr-xr-x 1 root root 62368 2008-11-05 18:54 /usr/bin/mtr
-rwsr-xr-x 1 root root 32384 2009-07-31 19:29 /usr/bin/newgrp
-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd
-rwsr-xr-x 1 root root 14880 2009-10-16 17:13 /usr/bin/pkexec
-rwsr-xr-x 1 root root 852296 2009-05-23 06:01 /usr/bin/schroot
-rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudo
-rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudoedit
-rwsr-xr-x 1 root root 18848 2009-05-12 03:13 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 858000 2009-10-30 17:51 /usr/bin/vmware-mount
-rwsr-sr-x 1 root root 10536 2009-11-10 16:18 /usr/bin/X
-rwsr-xr-x 1 root root 724784 2009-10-30 17:51 /usr/lib/cups/filter/thnucups
-rwsr-xr-x 1 root root 10392 2009-04-29 06:09 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 197320 2009-10-23 01:28 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14712 2009-10-16 17:13 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10360 2010-01-03 17:33 /usr/lib/pt_chown
-rwsr-sr-x 1 root root 22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxHeadless
-rwsr-sr-x 1 root root 10536 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-sr-x 1 root root 22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetDHCP
-rwsr-sr-x 1 root root 22920 2009-10-15 10:44 /usr/lib/virtualbox/VBoxSDL
-rwsr-sr-x 1 root root 27024 2009-10-15 10:44 /usr/lib/virtualbox/VirtualBox
-rwsr-xr-x 1 root root 9666976 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx
-rwsr-xr-x 1 root root 11605432 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-debug
-rwsr-xr-x 1 root root 10192912 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-stats
-rwsr-xr-- 1 root dip 321600 2009-02-20 23:56 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid 18888 2009-10-23 09:58 /usr/sbin/uuidd
-rwsr-xr-x 1 root root 898112 2009-10-30 17:51 /usr/sbin/vmware-authd
# chmod -s /path/to/fileSetuid Programs Risk
A attacker can exploit setuid binaries using a shell script or by providing false data. Users normally should not have setuid programs installed, especially setuid to users other than themselves. For example, you should not find setuid enabled binary for root under /home/vivek/crack. These are usually Trojan Horses kind of programs.Example
In this example, user vivek run the command called "/usr/bin/vi /shared/financialdata.txt", and the permission on the vi command and the file /shared/financialdata.txt are as follows:-rwxr-xr-x 1 root root 1871960 2009-09-21 16:57 /usr/bin/viVivek has permission to run /usr/bin/vi, but not permission to read /shared/financialdata.txt. So when vi attempts to read the file a "permission denied" error message will be displayed to vivek. However, if you set the SUID bit on the vi:
-rw------- 1 root root 3960 2009-09-21 16:57 /shared/financialdata.txt
chmod u+s /usr/bin/viNow, when vivek runs this SUID program, the access to /shared/financialdata.txt is granted. How does it work? The UNIX system doesn't think vivek is reading file via vi, it thinks "root" is the user and hence the access is granted.
ls -l /usr/bin/vi
How Do I Audit And Log setuid System Call Under Linux For Each setuid Binary?
auditd can be used for system auditing under Linux. It can log and audit setuid system call. Edit /etc/audit/audit.rules:# vi /etc/audit/audit.rules-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privilegedRun the following command to get setuid enabled binary from /bin and add them as above:
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
# find /bin -type f -perm -04000Save and close the file. Restart auditd:
# service auditd restartUse aureport command to view audit reports:
# aureport --key --summary
# ausearch --key access --raw | aureport --file --summary
# ausearch --key access --raw | aureport -x --summary
# ausearch --key access --file /bin/mount --raw | aureport --user --summary -i
No comments:
Post a Comment