Week 44: Permissions, part 2 -- Who owns what when?

When
Daily if automated, weekly if ad hoc. Daily if your system is an attractive target for intrusion attempts or you have a history of such.

Why
Attackers can gain access to your system through files, directories and devices with higher privileges than necessary that execute on behalf of a privileged task. Most SUID (set user ID) system programs run as SUID root; that is, they become super user when executing. In theory, this isn't a security hole because compiled programs perform only the functions compiled into them. But people have figured out ways of making SUID programs do things they weren't designed to do. Too often, SUID root is used when a group with less privilege would suffice, such as daemon.

Strategy
Remember that Unix describes UID as the file's owner, GID (group ID) is the file's group. Sometimes unprivileged users need to accomplish tasks that require privileges above theirs, such as the password program, which allows you to change your password and requires modifying the password field in the /etc/passwd file. However, if you had access to this file directly, you could change everyone else's password too. To get around these problems, Unix allows programs to assume another UID or GID when running. A program changing its UID is an SUID program; one that changes group ID is called SGID, and a program can be both at the same time. When a SUID program is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it. Remember from last week that file permissions use a 10-character reference.

Consider the following sample output from running the ls -l command:

-rwxrw-r-- 1 shelley staff 64 May 15 19:01 DailyChecklist.txt

The owner of this plain file, DailyChecklist.txt, is Shelley, and she's a member of the group Staff. The following rights are assigned: Shelley has read, write and execute permissions; Staff has read and write permissions; and

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Using the four-digit octal representation of permissions, use the following commands to find out which files have 'setuid' and 'setgid' (especially setuid root files), permissions, respectively:

# find / -perm -2000 -print
# find / -perm -4000 -print

You can look for these SUID and SGID files by creating a daily or weekly cron script and receive the results in an e-mail from the system. You can combine both commands above into one and mail the results:

# find / ( -perm -4000 -o -perm -2000 ) -print | mail -s "setuid and setgid files" myname@myorganization.com

More information
Integrity checkers like Tripwire (http://www.tripwire.com ) can make your job easier. They monitor the permissions and checksums of important files so you can detect whether they have been modified. COPS (http://www.fish.com/cops ), by Dan Farmer, is the Computer Oracle and Password System, a system that checks Unix systems for common security problems, like unsafe permissions on key files and directories. Tiger (http://www.net.tamu.edu/network/tools/tiger.html ), by Doug Schales of Texas A&M University, is a set of scripts that scan a Unix system looking for security problems in the same fashion as COPS, which was originally developed to provide a check of Unix systems on the A&M campus that users wanted to be accessible off campus.

About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Weekly Security Planner,   Data Analysis and Classification,   Enterprise Data Protection,   Alternative OS security: Mac, Linux, Unix, etc.,   Application and Platform Security,   Operating System Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Weekly Security Planner Weekly Security Planner: April Weekly Security Planner: March Weekly Security Planner: January Weekly Security Planner: February Weekly Security Planner: December Weekly Security Planner: November Weekly Security Planner: September Weekly Security Planner: August Weekly Security Planner: October Weekly Security Planner: July Data Analysis and Classification Compliance in the cloud Database monitoring, encryption vital in tight economy, Forrester says Best practices for log data retention Simplicity is key to data classification projects HIPAA changes force healthcare to improve data flow Can read/write access policies be put on a SAN server? Microsoft to embed data classification, strengthen ties with DLP Metaforic crosses swords with software pirates RSA attendees see data classification, rights management projects stumble Product review: Titus Labs' Message Classification Data Analysis and Classification Research Alternative OS security: Mac, Linux, Unix, etc. Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Apple fixes critical QuickTime flaws User provisioning and SSO for PeopleSoft- and Unix-based products Alternative OS security: Mac, Linux, Unix, etc. Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.