Let's discuss suid. Yes, the suid, wich stands for 'Set-user-ID' root programs. As you can guess these programs run as root regardless of who is executing them. The reason suid programs are so dangerous is that interaction with the untrusted user begins before the program is even started. There are many other ways to confuse the program, using things like environment variables, signals, or anything you want. Exactly this 'confusion' of a program is a cause of frequent buffer overflows. More than 50 % of all major security bugs leading to releases of security advisors are accounted to suid programs. And some distributions are shipped with hundreds of these suid programs, most of which you'll probably never use. Of course there are few wich are neccessary, in order that normal user might perform operations wich are normally done by root. Now let's get to the root of the problem...
How can you find out about the suid programs on your system: the thing to do is to get a list of all suid programs on your system and start the boring task of going through them. Unfortunately, I can't tell you here wich you need, might need or don't need. But, again, fear not for logic is your best friend here. Just browse through the list of all suid programs, and find those that you use, sometimes or frequently or never use. But, I must warn you, the list could be looooong. Ok, here we go, type the following line(of course as root):
find / -type f -perm +6000 -ls
And the output, after a while, it depends on the amount of suid programs on your system will resemble something like this.
Now, let's pretend that you want to remove the suid permission on /bin/ping, as you don't plan on using it:
chmod -s /bin/ping
That's it! Feel free to browse through man pages of chmod to find out more if you want (thats 'man chmod'). Now the most annying fact is that you'll have to do it for ALL suid programs that you don't plan on using.
The other issue are files wich don't belong to anyone, or don't belong to a group. These are also dangerous, as they provide more ways to manipulate with your system. Also, an unowned file may be a signal indicating an intruder on your system. Let's find them:
find / -nouser -o -nogroup
Nothing? Heh, that's exactly what we expect! And if you find any, feel free to change the ownership of the file to any user you want, or to delete it. If you want to change the ownership you might want to check out the command 'chown', of course by typing 'man'chown'.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.