man process-setuid
NAME
process-setuid - analyze [sg]uid,acl,o+w files on a system
SYNOPSIS
process-setuid [-options] command setting
DESCRIPTION
The process-setuid script is distributed with uaxtools and is intended to compare
mode, ownership, and sum [sg]uid files with a registry of known files. It can also
be used to audit o+w and presence of acls on files and directories. The permchk
script can be used to invoke process-setuid for a collection of systems.
Many traditional UNIX implementations contained inappropriate suid files which
could be exploited by users to gain root authority. While modern linux implementa-
tions typically do not have this issue, it is still appropriate to audit all
[sg]uid files on a system. This does reqiure that prelink be disabled (which is a
good idea regardless). The etc/sguid.list file (described below) contains two sets
of mode and ownership, the "old" (original) and "new" (site defined) for files.
The process-setuid command structure was used to record site defined changes to
distributed vendor permissions and provide the ability to swap files back to vendor
(old) mode|ownership if necessary (when vendors claimed a site was unsupported if
they changed file attributes). This is effectively irrelevant now and the most use-
ful options are either process-setuid compare new to validate (audit) current state
or process-setuid update new to produce output to update sguid.list after a system
update.
This script uses the process-setuid_os wrapper which can be used to customize for a
site (e.g., which filesystems to audit). By default it will select all local
filesystems not mounted nosuid. The command it uses to identify files is 'uals
--type df -URA --or --acl --mode 7002 --fields tf --mount' against a filesystem
which is then piped to 'uals -dL --fields mogsr' for comparison. This provides an
easy means to audit acls, o+w, [sg]uid files and directories on system filesystems.
COMMAND
compare
Compares current with old or new settings.
update Records current as old or new settings (to stdout).
convert
Converts file from size only to size and checksum.
swap Swaps current settings with old or new (requires sudo).
SETTING
new Site-defined settings
old Original (vendor-defined) settings
OPTIONS
-l list
specify sguid.list file.
-v verbose mode ('set -x').
FILE: sguid.list
The etc/sguid.list files has the following columns:
OS ARCH
The OS and ARCH columns are used to identify systems and can take three
forms:
OS and architectrue, such as 'RHEL 6.8'.
Idenitfy a host, such as 'sys kcrh6l'.
Identify system mask, such as 'msk .*n.*'.
OldMode OldOwner OldGroup
Specifies the old or original mode and ownership of the file (before site
modification). Mode is 4 octal digits followed by '+' if the file has an
acl.
NewMode NewOwner NewGroup
Specifies the new or site modififed mode and ownership of the file. If not
modified use '.'.
Size sum-r
Specifies the size and bsd (sum -r) of the file.
Use '+' to indicate size can be ignored.
Use '-" to indicate the file does not exist.
Use '!' to indicate the file is a regular expression, such as '/tftp-
boot/.*'.
FILENAME
Specifies the file (or directory) to be validated.
#Comment
An optional commant can be provided after the filename starting with '#'.
ACKNOWLEDGEMENTS
Written at the University of Alaska. Ongoing maintenance via SourceForge by Denali
Sun Consulting.
Suggestions or bug reports can be directed to denalisun907@gmail.com.
RELATED INFORMATION
See: uaxtools(8), permchk(8), push(8).