Find setuid binaries to perform Linux server hardening

The purpose of this tutorial is to find setuid binaries on Linux. It is very possible that your Linux server has more packages installed than you really need. To make it worse, those extra packages may contain a handful of binaries with setuid and setguid turned on.

On Linux systems, some binaries have a setuid permission, which is a special Linux permission that causes an executable to be run not with the privileges of the user who launched it, but with that of the file owner instead.

If one or more of your system’s binaries have the setuid permission set, this can lead to unnecessary risk as it could be just a matter of time that some of your shell users exploits this vulnerabilities to get a root privileges.

In this tutorial you will learn:

  • How to find setuid binaries on Linux
  • How to remove setuid and setgid permission from binaries
Find setuid binaries to perform Linux server hardening
Find setuid binaries to perform Linux server hardening
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software N/A
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Server hardening by eliminating setuid and setgid binaries

Follow the steps below to compile a list of binaries on your system that have either the setuid or setgid permission set.

  1. The following Linux command creates a list of all executables on your system with setuid.
    # find / * -perm -4000 -type f -exec ls -ld {} \; > setuid.txt
  2. Since the previous example searches every file on your system, you may find it more efficient to limit the search to directories where binaries are ordinarily stored, such as /usr/bin.
    # find /usr/bin * -perm -4000 -type f -exec ls -ld {} \; > setuid.txt
  3. Next, you can get a list of all files that have setgid permissions.
    # find / * -perm -2000 -type f -exec ls -ld {} \; > setgid.txt
  4. Review the files listed in setuid.txt and setgid.txt carefully, and remove ā€œsā€ bits from any binary you wish with the following command:
    # chmod a-s /path/to/binary/file

Please keep in mind that you do not have to (and should not) remove the setuid and setgid permissions from all binaries you find. You should start only with binaries which are not in use.

By removing setuid and setgid from a executable binary file, you do not render this executable unusable; however, only the superuser will be able to put these binaries into action by executing them.

Closing Thoughts

In this tutorial, we saw how to find setuid binaries on Linux. These files contain special permissions and, if used on the wrong file, could provide an exploit for users with regular permissions. Removing setuid and setgid permissions from binary files that don’t need them will help harden your Linux server.

Comments and Discussions
Linux Forum