Os muestro un comando para ver binarios ejecutables con SUID/SGID no autorizados. Dicho comando habrá que ejecutarlo para cada partición del sistema:
find /dev/sda1 -xdev \( -perm -4000 -o -perm -2000 \) -type f -print
En caso de que se detecte algún fichero que no requiera de setuid/setgid estos podrán eliminarse ejecutando:
# chmod –s fichero
En la siguiente tabla se muestran los setuid/setgid que se suelen encontrar en un sistema por defecto y como se propone que sea configurado:
Fichero | Set-ID | Subsistema | Deshabilitar |
/bin/mount | uid root | filesystems | no |
/bin/ping | uid root | net | no |
/bin/ping6 | uid root | net IPv6 | SI |
/bin/su | uid root | auth | no |
/bin/umount | uid root | filesystems | no |
/sbin/mount.nfs | uid root | NFS | no si NFS |
/sbin/mount.nfs4 | uid root | NFS | no si NFSv4 |
/sbin/netreport | gid root | net | no si usuarios modifican interf |
/sbin/pam_ | |||
timestamp_check | uid root | PAM auth | no |
/sbin/umount.nfs | uid root | NFS | no si NFS |
/sbin/umount.nfs4 | uid root | NFS | no si NFSv4 |
/sbin/unix chkpwd | uid root | PAM auth | no |
/usr/bin/at | uid root | cron/at | no |
/usr/bin/chage | uid root | passwd expiry | no si view expiry |
/usr/bin/chfn | uid root | user info | no si finger |
/usr/bin/chsh | uid root | user info | no si shells |
/usr/bin/crontab | uid/gid root | cron/at | no si cron |
/usr/bin/gpasswd | uid root | group auth | no |
/usr/bin/locate | gid slocate | locate database | no |
/usr/bin/lockfile | gid mail | procmail | no si procmail |
/usr/bin/newgrp | uid root | group auth | no |
/usr/bin/passwd | uid root | passwd auth | no |
/usr/bin/rcp | uid root | rsh | SI (rsh obsoleto) |
/usr/bin/rlogin | uid root | rsh | SI (rsh obsoleto) |
/usr/bin/rsh | uid root | rsh | SI (rsh obsoleto) |
/usr/bin/ssh-agent | gid nobody | SSH | no |
/usr/bin/sudo | uid root | sudo | no |
/usr/bin/sudoedit | uid root | sudo | no |
/usr/bin/wall | gid tty | console messaging | no si console messaging |
/usr/bin/write | gid tty | console messaging | no si console messaging |
/usr/bin/Xorg | uid root | X11 | no si X11 |
/usr/kerberos/bin/ksu | uid root | Kerberos auth | no si Kerberos |
/usr/libexec/openssh/ | |||
ssh-keysign | uid root | SSH | no si sshd |
/usr/libexec/utempter/ | |||
utempter | gid utmp | terminal support | no |
/usr/lib/squid/pam auth | uid root | squid | no si squid |
/usr/lib/squid/ncsa auth | uid root | squid | no si squid |
/usr/lib/vte/gnome-pty-helper | gid utmp | X11, Gnome | no si X11 |
/usr/sbin/ccreds validate | uid root | PAM auth | no si PAM auth |
/usr/sbin/lockdev | gid lock | filesystems | no |
/usr/sbin/sendmail.sendmail | uid root | sendmail client | no |
/usr/sbin/suexec | uid root | apache | no si apache |
/usr/sbin/userisdnctl | uid root | ISDN | no si ISDN |
Te ha gustado la entrada SGUENOS EN TWITTER O INVITANOS A UN CAFE?