Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've searched the forum, but nothing answers my question.
We know the security risk posed by suid, sgid.
I'm looking to remove the suid bits from all programs that do not absolutely need it.
This command:
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
gave the list below.
For which of these programs can I safely remove the suid bit? I don't want to break my system by modifying a program that the system needs.
-r-sr-xr-x 1 bin 502172 Jan 10 12:36 /usr/local/bin/dccproc
-r-sr-xr-x 1 bin 186683 Jan 10 12:36 /usr/local/bin/cdcc
-r-s--x--x 1 root 23980 Nov 17 00:27 /usr/lib/virtualbox/VBoxNetDHCP
-r-s--x--x 1 root 9896 Nov 17 00:27 /usr/lib/virtualbox/VBoxNetAdpCtl
-r-s--x--x 1 root 23976 Nov 17 00:27 /usr/lib/virtualbox/VBoxSDL
-r-s--x--x 1 root 23980 Nov 17 00:27 /usr/lib/virtualbox/VBoxHeadless
-r-s--x--x 1 root 24108 Nov 17 00:27 /usr/lib/virtualbox/VirtualBox
-rwsr-x--- 1 squid 15448 Jan 20 2009 /usr/lib/squid/pam_auth
-rwsr-x--- 1 squid 17580 Jan 20 2009 /usr/lib/squid/ncsa_auth
-rwx--s--x 1 utmp 6652 Feb 26 2009 /usr/libexec/utempter/utempter
-rwsr-xr-x 1 root 176732 Dec 16 17:15 /usr/libexec/openssh/ssh-keysign
-rwxr-sr-x 1 lock 16616 Jan 9 2007 /usr/sbin/lockdev
-rws--x--x 1 root 32780 Feb 26 2009 /usr/sbin/userhelper
-rwsr-xr-x 1 root 6240 Jan 6 2007 /usr/sbin/ccreds_validate
-r-s--x--- 1 apache 11544 Sep 15 2008 /usr/sbin/suexec
-rwsr-xr-x 1 root 169760 Jan 12 16:22 /usr/kerberos/bin/ksu
---s--x--x 2 root 140808 Sep 19 19:02 /usr/bin/sudo
-rwxr-sr-x 1 mail 16020 Mar 29 2007 /usr/bin/lockfile
---s--x--x 1 root 34112 Sep 3 18:03 /usr/bin/staprun
---s--x--x 2 root 140808 Sep 19 19:02 /usr/bin/sudoedit
-rws--x--x 1 root 1890084 Jan 5 17:16 /usr/bin/Xorg
-rwsr-xr-x 1 root 43976 Jan 5 2007 /usr/bin/at
-rwxr-sr-x 1 nobody 88972 Dec 16 17:15 /usr/bin/ssh-agent
-rws--x--x 1 root 70900 Sep 3 07:30 /usr/bin/sperl5.8.8
-rwsr-xr-x 1 root 22984 Jan 6 2007 /usr/bin/passwd
-rwsr-sr-x 1 root 315416 Jan 5 16:59 /usr/bin/crontab
-rwx--s--x 1 slocate 23856 Sep 3 10:53 /usr/bin/locate
-rwsr-sr-x 1 qscand 113217 Jan 13 13:56 /var/qmail/bin/qmail-scanner-queue.pl
-rws--x--x 1 qmail 21048 Jan 7 15:30 /var/qmail/bin/qmail-queue
-r-sr-xr-x 1 bin 153546 Jan 10 12:36 /var/dcc/libexec/dccsight
-rwsr-x--- 1 dbus 45148 Jan 7 16:24 /lib/dbus-1/dbus-daemon-launch-helper
-rwsr-x--- 1 ecryptfs 12000 Sep 3 18:13 /sbin/mount.ecryptfs_private
-rwsr-xr-x 1 root 12248 Sep 3 15:51 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root 19184 Sep 3 15:51 /sbin/unix_chkpwd
-rwsr-sr-x 1 root 81864 Nov 17 2006 /var/www/html/site/cgi-bin/vqadmin/vqadmin.cgi
-rwsr-sr-x 1 557 127196 Nov 17 2006 /var/www/html/site/cgi-bin/qmailadmin
-rwsr-xr-x 1 root 31244 Sep 26 12:34 /bin/ping6
-rwsr-xr-x 1 root 23960 Oct 26 19:12 /bin/su
I'm open to correction here, but IME distros do not put suid/sgid on a file/dir lightly.
Frankly, I'd leave well alone unless it's an amendment since the orig install.
rpm -Va
will check this on an RH/Fedora/Centos system.
The only ones that look odd to me are /var/www... but I'll leave that to the experts.
Yeah, that rpm cmd works on rpm based systems; shows you what is different now to installation settings; see man page. Very useful.
You can use http://www.cyberciti.biz/tips/reset-...ermission.html to revert to orig settings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.