| Previous | Table of Contents | Next |
You should monitor your systems for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. A suspicious listing would be one that grants ownership of a setuid or setgid program to a user other than bin or sys.
You can use the permissions (-perm) option to the find command to search for files with setuid, setgid, or sticky bit permissions. Use the following steps to search for files with setuid permissions:
The following example lists the system files that have setuid permissions.
castle% find / -user root -perm -4000 -print /usr/lib/lp/bin/netpr /usr/lib/fs/ufs/quota /usr/lib/fs/ufs/ufsdump /usr/lib/fs/ufs/ufsrestore /usr/lib/exrecover /usr/lib/pt_chmod /usr/lib/sendmail /usr/lib/utmp_update /usr/lib/acct/accton /usr/openwin/lib/mkcookie /usr/openwin/bin/xlock /usr/openwin/bin/ff.core /usr/openwin/bin/kcms_configure /usr/openwin/bin/kcms_calibrate /usr/openwin/bin/sys-suspend /usr/dt/bin/dtaction /usr/dt/bin/dtappgather /usr/dt/bin/sdtcm_convert /usr/dt/bin/dtprintinfo /usr/dt/bin/dtsession /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/crontab /usr/bin/eject /usr/bin/fdformat /usr/bin/login /usr/bin/newgrp /usr/bin/passwd /usr/bin/ps /usr/bin/rcp /usr/bin/rdist /usr/bin/rlogin /usr/bin/rsh /usr/bin/su /usr/bin/uptime /usr/bin/w /usr/bin/yppasswd /usr/bin/admintool /usr/bin/ct /usr/bin/chkey /usr/bin/nispasswd /usr/bin/cancel /usr/bin/lp /usr/bin/lpset /usr/bin/lpstat /usr/bin/volcheck /usr/bin/volrmmount /usr/sbin/allocate /usr/sbin/mkdevalloc /usr/sbin/mkdevmaps /usr/sbin/ping /usr/sbin/sacadm /usr/sbin/whodo /usr/sbin/deallocate /usr/sbin/list_devices /usr/sbin/ffbconfig /usr/sbin/m64config /usr/sbin/lpmove /usr/sbin/pmconfig /usr/sbin/static/rcp /usr/ucb/ps /proc/216/object/a.out /proc/388/object/a.out castle%
Access Control Lists (ACLs, pronounced “ackkls”) can provide greater control over file permissions when traditional UNIX file permissions are not enough. UNIX file protection provides read, write, and execute permissions for three user classes: owner, group, and other. An ACL provides better file security by enabling you to define file permissions for the owner, owner's group, others, specific users, and groups. It also enables you to define default permissions for each of these categories.
For example, you might have two groups that need permission to access a file, one to read it and one to write to it. Alternatively, you might have a file that you wanted everyone in a group to be able to read, so you would give group read permissions on that file. Suppose that you want only two people in the group to be able to write to that file. With standard UNIX permissions, you cannot give write permission to only two members of a group. You can, however, set up an ACL for that file to grant only two people in the group write permissions on that file.
ACLs are extensions to standard UNIX file permissions. The ACL information is stored and associated with each file individually.
You define an ACL for a file or directory by using the ACL commands and options listed in Table 18-8.
| Command/Option | Description |
|---|---|
| getfacl | Displays ACL entries. |
| -a | Displays the filename, owner, group, and ACL of the file. |
| -d | Displays the filename, owner, and group of the file. The information is displayed even if the file does not have an ACL. |
| setfacl | Sets, adds, modifies, and deletes ACL entries. |
| -s acl_entries | Sets the ACL for the file, removing all old entries and replacing them with the newly specified ACL. |
| -m acl_entries | Adds one or more new ACL entries to the file or modifies one or more existing ACL entries for the file. If an entry already exists, the specified permissions replace the current permissions. If no entry exists, a new entry is created. |
| -d acl_entries | Deletes one or more entries from the file. You cannot delete entries for the file owner, the owning group, and other. Note that deleting an entry does not necessarily have the same result as removing all permissions from the entry. |
| -f acl_file | Specifies a file containing the ACL entries to be used as arguments to the setfacl command. |
| -r | Recalculates permissions for the ACL mask. Permissions specified in the mask are ignored and replaced by the maximum permissions needed to give access to any additional user, owning group, and additional group entries in the ACL. |
Each ACL entry consists of the following fields, which are separated by colons:
<entry-type>:[<UID>] | [<GID>]:<perms>
Table 18-9 explains each of the elements of the syntax for ACL commands.
| Argument | Description |
|---|---|
| <entry-type> | Type of ACL entry on which to set file permissions. For example, <entry_type> can be user (the owner of a file) or mask (the ACL mask). |
| <UID> | Username or identification number. |
| <GID> | Group name or identification number. |
| <perm> | Permissions set for the <entry-type>. Permissions can be set symbolically using the characters r, w, x, and - or by using octal values from 0 to 7. |
NOTE: ACLs are supported in UFS file systems only. If you restore or copy files with ACL entries in the /tmp directory, which is usually mounted as a TMPFS file system, the ACL entries are lost. If you need to temporarily store UFS files containing ACLs, use the /var/tmp directory instead.
| Previous | Table of Contents | Next |