Finding SUID and SGID Files
One of the most critical security tasks on a Unix system is monitoring files with the Set-User-ID (SUID) and Set-Group-ID (SGID) bits enabled.
When an executable has the SUID bit set, it runs with the privileges of the file's owner, regardless of who executes it. If a root-owned binary has the SUID bit set, any standard user who runs it gains temporary root privileges. This is necessary for commands like passwd or sudo, but a rogue SUID file is a massive vulnerability.
The Octal Permissions
- SUID Bit: represented by
4in the first octal position (e.g.,4755). - SGID Bit: represented by
2in the first octal position (e.g.,2755).
1. Locating SUID Files
To find files with the SUID bit set, we use the -perm test with the "Any Of" (/) prefix. We only care about the SUID bit, so we mask out everything else.
# Find files where the SUID bit (4000) is set
find / -type f -perm /4000 2>/dev/null
(Note: We append 2>/dev/null to suppress "Permission denied" errors as we traverse the root filesystem).
2. Locating SGID Files
Similarly, to find files with the SGID bit set:
# Find files where the SGID bit (2000) is set
find / -type f -perm /2000 2>/dev/null
3. The Complete Audit Command
Security compliance frameworks (like CIS benchmarks) require scanning for both SUID and SGID files periodically.
# Find files with EITHER SUID (4) or SGID (2) set, creating a mask of 6000
find / -type f -perm /6000 -exec ls -ld {} \; 2>/dev/null
Analyzing the Output
When you run this command, review the output. Legitimate SUID binaries usually reside in /bin, /sbin, /usr/bin, and /usr/sbin.
If you find an SUID binary in /home/user or /tmp, it is highly indicative of a compromise or a careless developer.
Example Legitimate Output:
-rwsr-xr-x 1 root root 68208 May 10 2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 166056 Jan 18 2023 /usr/bin/sudo
(Notice the s in the owner execute position, indicating SUID).