Binaries

Finding setuid binaries on Linux and BSD

To perform a basic audit of the binaries on your system, we can search for setuid binaries. Finding these setuid binaries is easy with the find command.

Summary

Why setuid?

Binaries with the setuid bit enabled, are being executed as if they were running under the context of the root user. This enables normal (non-privileged) users to use special privileges, like opening sockets. While this seems unnecessary for a normal user, it is actually needed for simple commands like ping.

Finding files with setuid bit

To discover all files with the setuid bit, we can use the find command. Depending on the distribution, you can use some specific parameters and special options. For example on Linux you can use -perm with slash notation (e.g. /4000). This means that if any of the file permission bits match, the result will be displayed. However, this option does not work for BSD systems, like NetBSD.

PCI DSS Linux: No write access to shared system binaries

PCI compliance demands that no write access is allowed to shared system binaries. Let's use several tools to determine if write access is allowed.

Summary

A.1.2.c Verify that an entity’s users do not have write access to shared system binaries

Shared system binaries should be protected, as they form the basis of your system. PCI compliance (A.1.2.c) demands that users do not have write access to shared systems binaries. The only exception is of course the root user, so software upgrades are still possible.

Paths for system binaries

Depending on the distribution used there are several directories which have shared system binaries. Common paths are: