Security procedures

Example: checking set-UIDs by filesystem

The following example shows the use of ncheck to examine the /usr filesystem (assuming /dev/dsk/c1b0t1d0s2 is the special file) for files with a set-UID. Examine the /etc/vfstab file to find the appropriate special filename for your system. The normal output of the ncheck -s command includes special files. The -F vxfs tells ncheck that it should expect an vxfs filesystem type. Other filesystem types support ncheck. See ncheck(1M) for more information. The output of the modified ncheck is used as an argument to the ls command. The use of the ls command is possible only if the filesystem is mounted. 

   # ncheck -F vxfs -s /dev/dsk/c1b0t1d0s2 | cut -f2 | xargs ls -l >/tmp/cksuid
   # cat /tmp/cksuid
   -r-sr-xr-x    1 root     sys        65988 Nov  1 11:22 /sbin/su
   -rwxr-sr-x    1 bin      sys        43544 Nov  1 11:24 /sbin/swap
   -r-xr-sr-x    1 bin      sys        14448 Nov  1 11:23 /usr/bin/crontab
   ---x--s--x    1 uucp     uucp       42376 Nov  1 11:23 /usr/bin/cu
   ---s--x---    2 root     lp         38780 Nov  1 11:23 /usr/bin/disable
   ---s--x---    2 root     lp         38780 Nov  1 11:23 /usr/bin/enable
   -r-xr-sr-x    1 bin      sys        23392 Nov  1 11:23 /usr/bin/ipcs
   -r-xr-sr-x    2 bin      mail      232240 Nov  1 11:22 /usr/bin/mail
   -r-xr-sr-x    1 bin      mail      211356 Nov  1 11:22 /usr/bin/mailx
   -r-sr-sr-x    1 root     sys        29960 Nov  1 11:23 /usr/bin/passwd
   -r-sr-xr-x    1 root     root       14480 Nov  1 11:23 /usr/bin/priocntl
   -r-xr-sr-x    2 bin      mail      232240 Nov  1 11:22 /usr/bin/rmail
   ---s--s--x    1 uucp     uucp       65244 Nov  1 11:23 /usr/bin/uucp
   ---x--s--x    1 uucp     uucp       15300 Nov  1 11:23 /usr/bin/uuname
   ---x--s--x    1 uucp     uucp       58732 Nov  1 11:23 /usr/bin/uustat
   ---x--s--x    1 uucp     uucp       48904 Nov  1 11:23 /usr/bin/uux
   -r-sr-x--x    1 root     mail      106440 Nov  1 11:26 /usr/ucblib/sendmail
   -r-sr-x--x    1 root     mail      109688 Nov  1 11:26 /usr/ucblib/sendmail.mx
   -r-x--s--x    1 bin      dos        13920 Nov  1 11:20 /usr/bin/doscat
   .
   .
   .
   -r-x--s--x    1 bin      dos        30436 Nov  1 11:20 /usr/bin/doscp
   -r-xr-sr-x    1 bin      sys        42988 Nov  1 10:28 /usr/bin/netstat
   -r-sr-xr-x    1 root     root       65988 Nov  1 11:51 /usr/bin/su
   -r-xr-s--x    1 sys      sys        19640 Nov  1 11:29 /usr/bin/uidadmin
   ---s--x---    1 root     lp        246156 Nov  1 10:28 /usr/lib/lp/lpsched
   -r-sr-xr-x    1 root     sys        23824 Nov  1 01:27 /usr/rar/bin/su
   -r-xr-sr-x    1 bin      sys        11274 Oct 20 09:25 /usr/sbin/whodo
   #
In this example, the /usr/rar/bin/su should be investigated.
Next topic: Checking file privileges
Previous topic: Before you begin

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004