Document and Monitor Files with SUID, SGID, and NOSUID

SUID Files

SUID stands for “set owner user ID up on execution.” This is a special type of permissions given to a file. Typically, when a program runs, it inherits the access permissions from the logged-in user that is running the program. SUID is then defined as giving temporary permissions to a user to run a program or file with the permissions of the file’s owner, rather than the permissions of the file user who is running it. In simpler terms, users will get the file owner’s permission as well as the owner’s UID and GID (Group id) when they execute those files or program commands. All files with that set UID bit will allow anyone running those files to be temporarily assigned a UID of that file.

For example, the passwd command is set with SUID, and when you change your password and try to use the passwd command, which is owned by root, the command file will attempt to edit system config files, like etc/passwd and etc/shadow. Some of those files, however, cannot be opened and viewed by a normal user. For instance, if you try to change your password, you won’t have access to edit etc/passwd.

Find:

/ -perm -4000 -exec ls -l {}; | more

Image

Make sure to document deviations from standard configurations and keep track on a regular basis of which files have that SUID bit set. Additionally, the owner group mode, APL, and location of files that have SUID bits should be thoroughly documented and regularly monitored for changes that could signify a system compromise.

If you see that a new SUID program has appeared on the list, you should examine it further to determine if it is valid or if someone is trying to compromise the system by allowing privilege elevation. This could lead to insecure programs that allow reading and writing of files or even shell escapes which would enable unrestricted access.

SGID Files

SGID (Set group id up on execution) files work in a similar manner, but use the group permissions, rather than the owner permissions. Once again, make sure to find, document, and regularly monitor any files that have the SGID set on them, as demonstrated below:

Find:

/ -perm -2000 -exec ls -l {}\; | more

Image

File ACLs should also be documented and regularly reviewed.

aclget /usr/bin/at

Image

NOSUID Files

NOSUID (no set user id) do not allow SUID or SGID bits to take effect.  Executing SUID files from untrusted file systems, or file systems not containing approved set UID files increases the threat of unprivileged users getting unauthorized administrative access. Removable media, remote file systems, and any file system not containing approved SUID or SGID files should be mounted with the NOSUID to prevent such risks.

Use the chfs command or edit /etc/filesystems.

Image

There are instances in which you may want to use both SUID and NOSUID. For example, file systems such as /tmp are commonly mounted with NOSUID. Since /tmp is often used by threat actors as a place to store malicious executables, NOSUID ensures that such executables can’t be run. However, in order to add certain applications, you will need to remount SUID so you can successfully run the installation scripts. It is critical to remember to remount /tmp back with NOSUID after the program install is done.