#!/bin/sh ROOT_UID=0 # Only users with $UID 0 have root privileges. E_NOTROOT=67 # Non-root exit error. # Run as root, of course. if [ "$UID" -ne "$ROOT_UID" ]; then echo "Must be root to run this script." exit $E_NOTROOT fi # The following command discovers and prints any setuid or setgid files on local partitions. Run it once for # each local partition PART: # find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print # If the file does not require a setuid or setgid bit as discussed below, then these bits can be removed with the # command: # chmod -s file # The following table contains all setuid and setgid files which are expected to be on a stock system. The setuid or # setgid bit on these files may be disabled to reduce system risk if only an administrator requires their functionality. # The table indicates those files which may not be needed. # Note: Several of these files are used for applications which are unlikely to be relevant to most production # environments, such as ISDN networking, SSH hostbased authentication, or modification of network interfaces # by unprivileged users. It is extremely likely that your site can disable a subset of these files with no loss of # functionality. # Any files found by the above command which are not in the table should be examined. If the files are not # authorized, they should have permissions removed, and further investigation may be warranted. # File Set-ID Subsystem/Ref Disable? # /bin/mount uid root filesystems no # /bin/ping uid root net (3.3.9) no # /bin/ping6 uid root net (3.3.9),IPv6 (2.5.3) unless IPv6 is used # /bin/su uid root auth (2.3.1.2) no # /bin/umount uid root filesystems no # /sbin/mount.nfs uid root NFS (3.13) unless NFS is used # /sbin/mount.nfs4 uid root NFS (3.13) unless NFSv4 is used # /sbin/netreport gid root net (3.3.9) unless users must modify interfaces # /sbin/pam_timestamp_check uid root PAM auth (2.3.3) no # /sbin/umount.nfs uid root NFS (3.13) unless NFS is used # /sbin/umount.nfs4 uid root NFS (3.13) unless NFSv4 is used # /sbin/unix_chkpwd uid root PAM auth (2.3.3) no # /usr/bin/at uid root cron/at (3.4) no # /usr/bin/chage uid root passwd expiry (2.3.1.7) unless users must view expiry info # /usr/bin/chfn uid root user info unless users must change finger info # /usr/bin/chsh uid root user info unless users must change shells # /usr/bin/crontab uid/gid root cron/at (3.4) unless users must use cron # /usr/bin/gpasswd uid root group auth no # /usr/bin/locate gid slocate locate database no # /usr/bin/lockfile gid mail procmail unless procmail is used # /usr/bin/newgrp uid root group auth no # /usr/bin/passwd uid root passwd auth no # /usr/bin/rcp uid root rsh (3.2.3) yes (rsh is obsolete) # /usr/bin/rlogin uid root rsh (3.2.3) yes (rsh is obsolete) # /usr/bin/rsh uid root rsh (3.2.3) yes (rsh is obsolete) # /usr/bin/ssh-agent gid nobody SSH (3.5) no # /usr/bin/sudo uid root sudo (2.3.1.3) no # /usr/bin/sudoedit uid root sudo (2.3.1.3) no # /usr/bin/wall gid tty console messaging unless console messaging is used # /usr/bin/write gid tty console messaging unless console messaging is used # /usr/bin/Xorg uid root X11 (3.6) unless X11 is used # /usr/kerberos/bin/ksu uid root Kerberos auth (2.3.6) unless Kerberos is used # /usr/libexec/openssh/ssh-keysign uid root SSH (3.5) unless sshd uses hostbased auth # /usr/libexec/utempter/utempter gid utmp terminal support no # /usr/lib/squid/pam_auth uid root squid (3.19) unless squid is used # /usr/lib/squid/ncsa_auth uid root squid (3.19) unless squid is used # /usr/lib/vte/gnome-pty-helper gid utmp X11, Gnome (3.6) unless X11 is used # /usr/sbin/ccreds validate uid root PAM auth (2.3.3) unless PAM auth caching is used # /usr/sbin/lockdev gid lock filesystems no # /usr/sbin/sendmail.sendmail gid smmsp sendmail client (3.11.2) no # /usr/sbin/suexec uid root apache (3.16) unless apache is used # /usr/sbin/userhelper uid root PAM auth (2.3.3.4) restrict (see section) # /usr/sbin/userisdnctl uid root ISDN unless ISDN is used # /usr/sbin/usernetctl uid root user network control unless users must modify interfaces find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print | (cat <