5.23. Bits from root-owned programs

A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the s bits appearing on its mode, have the SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled. Because these programs grant special privileges to the user who is executing them, it is important to remove the s bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the command chmod a-s with the name(s) of the SUID/SGID files as its arguments. Such programs include, but aren't limited to:

We've placed an asterisk * next to each program we personally might disable and consider to be not absolutely required for the working of our server. Remember that your system needs some suid root programs to work properly, so be careful. make your choices based on your requirements. To find all files with the s bits from root-owned programs, use the command:

            [root@deep]#find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls 'lg {} \;
             


            *-rwsr-xr-x	1 root     root	35168	Sep	22	23:35	/usr/bin/chage
            *-rwsr-xr-x	1 root     root	36756	Sep	22	23:35	/usr/bin/gpasswd
            *-r-xr-sr-x	1 root     tty	6788	Sep 	6	18:17	/usr/bin/wall
            -rwsr-xr-x	1 root     root	33152	Aug	16	16:35	/usr/bin/at
            -rwxr-sr-x	1 root     man	34656	Sep	13	20:26	/usr/bin/man
            -r-s--x--x	1 root     root	22312	Sep	25	11:52	/usr/bin/passwd
            -rws--x--x	2 root     root	518140 	Aug	30	23:12	/usr/bin/suidperl
            -rws--x--x	2 root     root	518140 	Aug	30	23:12	/usr/bin/sperl5.00503
            -rwxr-sr-x	1 root     slocate	24744	Sep	20	10:29	/usr/bin/slocate
            *-rws--x--x	1 root     root	14024	Sep 	9	01:01	/usr/bin/chfn
            *-rws--x--x	1 root     root	13768	Sep	9	01:01	/usr/bin/chsh
            *-rws--x--x	1 root     root	5576	Sep	9	01:01	/usr/bin/newgrp
            *-rwxr-sr-x	1 root     tty	8328	Sep	9	01:01	/usr/bin/write
            -rwsr-xr-x	1 root     root	21816	Sep	10	16:03	/usr/bin/crontab
            *-rwsr-xr-x	1 root     root	5896	Nov	23	21:59	/usr/sbin/usernetctl
            *-rwsr-xr-x	1 root     bin	16488	Jul	2	10:21	/usr/sbin/traceroute
            -rwxr-sr-x	1 root     utmp	6096	Sep	13	20:11	/usr/sbin/utempter
            -rwsr-xr-x	1 root     root	14124	Aug	17	22:31	/bin/su
            *-rwsr-xr-x	1 root     root	53620	Sep	13	20:26	/bin/mount
            *-rwsr-xr-x	1 root     root	26700	Sep	13	20:26	/bin/umount
            *-rwsr-xr-x	1 root     root	18228	Sep	10	16:04	/bin/ping
            *-rwxr-sr-x	1 root     root	3860	Nov	23	21:59	/sbin/netreport
            -r-sr-xr-x	1 root     root	26309	Oct	11	20:48	/sbin/pwdb_chkpwd
            

To disable the suid bits on selected programs above, type the following commands:

            [root@deep] /# chmod a-s /usr/bin/chage
            [root@deep] /# chmod a-s /usr/bin/gpasswd
            [root@deep] /# chmod a-s /usr/bin/wall
            [root@deep] /# chmod a-s /usr/bin/chfn
            [root@deep] /# chmod a-s /usr/bin/chsh
            [root@deep] /# chmod a-s /usr/bin/newgrp
            [root@deep] /# chmod a-s /usr/bin/write
            [root@deep] /# chmod a-s /usr/sbin/usernetctl
            [root@deep] /# chmod a-s /usr/sbin/traceroute
            [root@deep] /# chmod a-s /bin/mount
            [root@deep] /# chmod a-s /bin/umount
            [root@deep] /# chmod a-s /bin/ping
            [root@deep] /# chmod a-s /sbin/netreport

Example 5-4. Use man pages

If you want to know what those programs do, type man program-name and read the man page.
          
            [root@deep] /# man netreport