5.23. Bits from root-owned programs

A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the s bits appearing on its mode, have the SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled. Because these programs grant special privileges to the user who is executing them, it is important to remove the s bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the command chmod a-s with the name(s) of the SUID/SGID files as its arguments. Such programs include, but aren't limited to:

We've placed an asterisk * next to each program we personally might disable and consider to be not absolutely required for the working of our server. Remember that your system needs some suid root programs to work properly, so be careful. make your choices based on your requirements. To find all files with the s bits from root-owned programs, use the command:


            [root@deep]#find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls 'lg {} \;
             


            *-rwsr-xr-x   1 root     root 35168   Sep     22      23:35   /usr/bin/chage
            *-rwsr-xr-x 1 root     root 36756   Sep     22      23:35   /usr/bin/gpasswd
            *-r-xr-sr-x 1 root     tty  6788    Sep     6       18:17   /usr/bin/wall
            -rwsr-xr-x  1 root     root 33152   Aug     16      16:35   /usr/bin/at
            -rwxr-sr-x  1 root     man  34656   Sep     13      20:26   /usr/bin/man
            -r-s--x--x  1 root     root 22312   Sep     25      11:52   /usr/bin/passwd
            -rws--x--x  2 root     root 518140  Aug     30      23:12   /usr/bin/suidperl
            -rws--x--x  2 root     root 518140  Aug     30      23:12   /usr/bin/sperl5.00503
            -rwxr-sr-x  1 root     slocate      24744   Sep     20      10:29   /usr/bin/slocate
            *-rws--x--x 1 root     root 14024   Sep     9       01:01   /usr/bin/chfn
            *-rws--x--x 1 root     root 13768   Sep     9       01:01   /usr/bin/chsh
            *-rws--x--x 1 root     root 5576    Sep     9       01:01   /usr/bin/newgrp
            *-rwxr-sr-x 1 root     tty  8328    Sep     9       01:01   /usr/bin/write
            -rwsr-xr-x  1 root     root 21816   Sep     10      16:03   /usr/bin/crontab
            *-rwsr-xr-x 1 root     root 5896    Nov     23      21:59   /usr/sbin/usernetctl
            *-rwsr-xr-x 1 root     bin  16488   Jul     2       10:21   /usr/sbin/traceroute
            -rwxr-sr-x  1 root     utmp 6096    Sep     13      20:11   /usr/sbin/utempter
            -rwsr-xr-x  1 root     root 14124   Aug     17      22:31   /bin/su
            *-rwsr-xr-x 1 root     root 53620   Sep     13      20:26   /bin/mount
            *-rwsr-xr-x 1 root     root 26700   Sep     13      20:26   /bin/umount
            *-rwsr-xr-x 1 root     root 18228   Sep     10      16:04   /bin/ping
            *-rwxr-sr-x 1 root     root 3860    Nov     23      21:59   /sbin/netreport
            -r-sr-xr-x  1 root     root 26309   Oct     11      20:48   /sbin/pwdb_chkpwd
            

To disable the suid bits on selected programs above, type the following commands:


            [root@deep] /# chmod a-s /usr/bin/chage
            [root@deep] /# chmod a-s /usr/bin/gpasswd
            [root@deep] /# chmod a-s /usr/bin/wall
            [root@deep] /# chmod a-s /usr/bin/chfn
            [root@deep] /# chmod a-s /usr/bin/chsh
            [root@deep] /# chmod a-s /usr/bin/newgrp
            [root@deep] /# chmod a-s /usr/bin/write
            [root@deep] /# chmod a-s /usr/sbin/usernetctl
            [root@deep] /# chmod a-s /usr/sbin/traceroute
            [root@deep] /# chmod a-s /bin/mount
            [root@deep] /# chmod a-s /bin/umount
            [root@deep] /# chmod a-s /bin/ping
            [root@deep] /# chmod a-s /sbin/netreport

Example 5-4. Use man pages

If you want to know what those programs do, type man program-name and read the man page.

          
            [root@deep] /# man netreport