Server hardening by eliminating setuid and setgid binaries
Last Updated on Saturday, 19 February 2011 14:07 Saturday, 19 February 2011 14:05
It is very possible that your Linux server has more packages installed than your really need. To make it worse, those extra packages may contain handful of binaries with setuid and setguid turned on. This can lead to unnecessary risk as it could be just a matter of time that some of your shell users exploits this vulnerabilities to get a root privileges.
The following command creates a list of all executables on your system with setuid and setgid.
find / * -perm +6000 -type f -exec ls -ld {} \; > setugid.txt
Review setugid.txt list carefully and remove "s" bits from binary with:
# chmod a-s /path/to/binary/file
Â
Please keep in mind that you do not have to ( or should not ) remove setuid and setgid from all binaries you find. You should start only with binaries which are not in use. By removing setuid and setgid from a executable binary file you do not render this executable unusable, however, only superuser will be able to put these binaries into action by executing them.
Â
Share this linux post:
Please visit our new Linux Forum for additional help or discussion.
| Linux eBooks FREE Download | ||||
|
|
|
|
|