ShareWiz Security

The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. Later versions of the Linux kernel will even prohibit the running of shell scripts that have this attribute set.

The /tmp directory should never have any files with the SETUID bit set. If one is found then the entire system is probably compromised, so additional security checks should be undertaken.

If a file is detected delete it straight away using the command:

The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. Later versions of the Linux kernel will even prohibit the running of shell scripts that have this attribute set.

There should never be any files that are world writable and have the setuid bit on. If one is found then the entire system is probably compromised, so additional security checks should be undertaken.

If a file is detected delete it straight away using the command:

These files should never be readable by anyone but root.

The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. Later versions of the Linux kernel will even prohibit the running of shell scripts that have this attribute set.

Files with the setuid bit set are not necessarily evil and can improve your system’s security, however an awfully huge lot of exploits takes advantage of vulnerabilities in setuid files because it is an easy way to escalate privileges especially when exploiting a setuid bit file belonging to root.

Take a very close look at those files and ensure that each one really needs to have the setuid bits on and are known to be secure and stable.

To find SUID files which are owned by root, issue the following command instead:

The GUID permission causes a script to run with its group set to the group of the script, rather than the group of the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems. Later versions of the Linux kernel will even prohibit the running of shell scripts that have this attribute set.

setgid folders can be really useful and can improve your system’s security, however an awfully huge lot of exploits takes advantage of vulnerabilities in setgid files because it is an easy way to escalate privileges especially when exploiting a setgid bit file belonging to root.

Take a very close look at those files and ensure that each one really needs to have the setuid bits on and are known to be secure and stable.

To find GUID files which are owned by root, issue the following command instead:

World writable file owned by root can lead to easy privileges escalation or system corruption.

Take a very close look at those files and ensure that each one really needs to be world writable.

Note: The "! -type l" option is used to avoid to list symlinks (that are described as world writable files).

Take a very close look at these links and ensure that each one is really needed.

The sticky bit is important. It should always be set on world writable folders to prevent a user from removing a file he doesn’t own.

Certain files should never be world writable or even world readable.

These include the directories /bin, /sbin, /boot, /etc, /lib, /root, /usr. A world writable file in these directories could lead to system trojaning/corruption.

world writable directories when allowed (such as for /var or /tmp) must have the sticky bit on to prevent unauthorized file deletion.

If any files are returned, check why they exist in the /root directory. Only files that actually belong to root should exist in that directory.

Either set the owner of the file to root, or move the file to the correct location, or delete the file.

Ensure that all files on the system belong to a valid user.

Ensure that all files on the system belong to a valid group.

This should not return any files. If it does then try to determine why. Either move the file elsewhere, or delete it.

Symlinks should also be checked carefully as they are often exploited to gain root privileges.

The presence of a symlink inside the /tmp directory is not dangerous in itself but if that symlink was intentionally created by an attacker to imitate the name of tmp files generated by an insecure program, this symlink could lead to the corruption of a system file or to privilege escalation.

The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool known as Tripwire. It creates a database from regular expression rules that it finds in a configuration file. Once this database is initialized, it can be used to verify the integrity of critical system and user files.