Linux system periodically checks for Suid or sgid permissions files

Source: Internet
Author: User

A file with Suid permissions in a Linux system makes people love and hate. The benefit of suid is that you can at some point allow the user to perform certain files that can only be executed by root (such as passwd,ping,mount, etc.), and the disadvantage is that if there is a flaw in the SUID management, Is easy to be used by the observant, and control the host. In fact, the use of suid to the right to put the back door to control the Linux mainframe, in the hacker community is not a secret, the Internet can search a few articles, today does not say how to use suid to attack, only talk about how to check the system suid files.
Check the command as follows:

Find/-perm +4000-user root-type f-print
Find/-perm +2000-group root-type f-print

Of course, you can also use the following command:

Find/-uid 0–perm-4000–print
Find/-type f-perm +6000
Find/-path '/proc '-prune-or-perm-u+s-exec ls-l {} \;

All of these commands can help you check, if you want to check regularly, then I give the following 2 shell script, but there is a small problem is that you must be on the new installed system to execute the 2 commands first:

Find/-path '/proc '-prune-or-perm-u+s-exec ls-l {} \; >/tmp/suidlist-init
Find/-type f-perm +6000 >/etc/sfilelist

You can then use these 2 scripts on a regular basis:

cat/root/soft_shell/check-suid.sh


#!/bin/bash

Old_list=/etc/sfilelist

For I in ' Find/-type f-perm +6000 '

Todo

Grep-f "$i" $OLD _list >/dev/null

[$-ne 0] && ls-lh $i

Done

cat/root/soft_shell/checksuid.sh
#!/bin/bash
logfile= "/tmp/suidlist-' Date +%y-%m-%d '"
resultfile= "/tmp/suid_check_result-' Date +%y-%m-%d '"

Find/-path '/proc '-prune-or-perm-u+s-exec ls-l {} \; > $LOGFILE
Diff/tmp/suidlist-init "$LOGFILE" > $RESULTFILE

Mutt-s "SUID CHECK result" Root < $RESULTFILE

Then schedule the plan to add:
Crontab-e
0 3 * * */root/soft_shell/checksuid.sh
Or
0 3 * * */root/soft_shell/check-suid.sh

This allows you to periodically check the system for suid files.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.