A malicious user seeking root access will always look for programs on
the system that have the SUID or SGID bit set. As we discussed in Part 3 of the LPI 101 series, these bits cause the program to always run
as the user or group that owns the file. Sometimes this is required for
proper functioning of the program. The problem is that any program
may contain a bug that would allow the user to gain privileges if the
program is used improperly.
You should consider each program carefully to determine if it needs to
have its SUID or SGID bits on. There may be SUID/SGID programs on your
system that you don't need at all.
To search for programs of this nature, use the find command.
For example, we could start searching for SUID/SGID programs in the /usr
directory:
# cd /usr
# find . -type f -perm +6000 -xdev -exec ls {} \;
-rwsr-sr-x 1 root root 593972 11-09 12:47 ./bin/gpg
-r-xr-sr-x 1 root man 38460 01-27 22:13 ./bin/man
-rwsr-xr-x 1 root root 15576 09-29 22:51 ./bin/rcp
-rwsr-xr-x 1 root root 8256 09-29 22:51 ./bin/rsh
-rwsr-xr-x 1 root root 29520 01-17 19:42 ./bin/chfn
-rwsr-xr-x 1 root root 27500 01-17 19:42 ./bin/chsh
-rwsr-xr-x 1 lp root 8812 01-15 23:21 ./bin/lppasswd
-rwsr-x--- 1 root cron 10476 01-15 22:16 ./bin/crontab
In this list, I've already found a candidate for closer inspection:
lppasswd is part of the CUPS printing software distribution. Since
I don't provide print services on my system, I might consider removing
CUPS, which will also remove the lppasswd program. There may be no
security-compromising bugs in lppasswd, but why take the chance on a
program I'm not using? Similarly, all services that you don't use
should be turned off. You can always enable them if and when you need
them.