Finding Files With SUID and SGID Permissions in Linux
SUID(Set-user Identification) and SGID(Set-group identification) are two special permissions that can be set on executable files, and These permissions allow the file being executed to be executed with the privileges of the owner or the group.
- SUID: It is special file permission for executable files. This enables other users to run the file with the effective permissions of the file owner. But Instead of normal x which represents executable permissions. We will see s(this indicates SUID) special permission for the user.
- SGID: This is also special file permission for executable files that enables other users to inherit the effective GID(Group Identifier) of a group owner. Here rather than x which represents executable permissions, we will see s(which indicates SGID) special permission for group users
Now let’s look at how to find files that have SUID and SGID set using the find command:
Syntax:
find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
Here,
Find directory | Checks for all mounted parts starting with the specified directory |
---|---|
-user root | Display files owned by root |
-perm -4000 | Print files only with permissions set to 4000 |
-exec la -ldb | Displays the output of find command in ls – |
>/tmp/filename | Writes the result to the filename we specify |
Note: For some directories such as (/etc, /bin, /sbin) or files that require root privileges we should use the sudo command to get the root privileges.
So now we will show how to list all files which have SUID permissions:
find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/ckprm
The above command will dump all of our files having SUID permissions into a ckprm file.
The below images shows all files with SUID permissions:
Now we are going to see How to list all files which have SGID permissions:
Note: In place of filename we can use filename up to our choice
Command: find / -user root -2000 -exec ls -ldb {} \; > /tmp/ckprm
Since there are more files with SGID permissions I cannot show up the full entire one.
To find files that have both SUID and SGID set, run the command below.
find / -user root -perm -6000 -exec ls -ldb {} \; > /tmp/ckprim1
As you can see only one file is having both SUID and SGID Permissions
Removing SUID and SGID:
If we want to remove SGID and SUID permissions on the files which have these two permissions.Then for removing the first SUID permissions:
chmod u-s filename
For Example, we have removed permission for the SUID file
Here in the above image, we have removed permission for the /usr/sbin/ppd file
You can see the left side image before removing permissions and the right side image after removing the permissions.
Then for removing the first SGID permissions: we have to do the same but change the command a little.
chmod g-s file_name
For Example, we have removed permission for the SGID file
Here in the above image, we have removed permission for the /usr/bin/wall file.
You can see the left side image before removing permissions and the right side image after removing the permissions.