Jerry Callen wrote:
>
> Is there a semi-canonical list of the things that must run setuid on a
> Linux system, and why? This would help from an auditing perspective.
I just ran an audit using something like this (doing this from
memory, but you get the idea):
find / -perm +04000 -o -perm +0200 | \
xargs rpm -qf | \
sort -u | \
rpm -V | \
grep ^..5 | \
grep -v ' c ' | \
cut -f 4 -d ' ' | \
ls -l | \
grep -E '^...s|......s'
This showed me any files from installed RPM packages that had
were suid or sgid and had the wrong MD5 hash. From there,
feeding the result of that back into an 'rpm -qf' told me which
packages to reinstall (and there were some, alas!). Looking for
suid/sgid files that *aren't* part of RPMs was a separate
process.
I should have updated the RPM database first, but I don't remember
how (if I ever knew). So if anyone cracked me, installed a
suid or sgid file replacing, say, /bin/login, and then made the
RPM database's MD5 hash match the replaced file, I don't know about
it.
--
#ken P-)}
Ken Coar <http://Golux.Com/coar/>
Apache Software Foundation <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>
"Apache Server Unleashed" <http://ApacheUnleashed.Com/>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
