Findsuid source (Re: Security and set[ug]id shell scripts)
Prentiss Riddle
riddle at ut-sally.UUCP
Thu Jan 17 03:16:38 AEST 1985
: This is a shar archive. Extract with sh, not csh.
echo x - README
sed -e 's/^X//' > README << '!RoNnIe!RaYgUn!'
XFindsuid is a little utility we dreamt up to watch for potential Trojan horse
Xprograms by keeping an eye on our suid and sgid files and telling us when
Xthey change unexpectedly.
X
XWe run it using the following line in crontab:
X
X 40 3 * * * /etc/findsuid/findsuid >/etc/findsuid/fserror 2>&1
X
XIncluded here is the findsuid shell script, a man page, a makefile, and a
Xsample "stop" file.
X
X--- Prentiss Riddle ("Aprendiz de todo, maestro de nada.")
X--- {ihnp4,harvard,seismo,gatech,ctvax}!ut-sally!riddle
!RoNnIe!RaYgUn!
echo x - Makefile
sed -e 's/^X//' > Makefile << '!RoNnIe!RaYgUn!'
XFSLIB=/etc/findsuid
X
Xall:
X# Do nothing.
X
Xinstall:
X cp findsuid.sh ${FSLIB}/findsuid
X chmod 740 ${FSLIB}/findsuid
X
Xclean:
X# Do nothing.
!RoNnIe!RaYgUn!
echo x - findsuid.8
sed -e 's/^X//' > findsuid.8 << '!RoNnIe!RaYgUn!'
X.TH FINDSUID 8L "18 October 1984"
X.UC
X.SH NAME
Xfindsuid \- find changes in setuid and setgid files
X.SH SYNOPSIS
X.B findsuid
X.SH DESCRIPTION
X.I Findsuid
Xis a
Xshell script intended to be run periodically by
X.IR cron (8)
Xin order
Xto spot changes in files with the suid or sgid bits set.
X.PP
X.I Findsuid
Xuses
X.IR find (1)
Xto search system directories for all files with the 4000 or 2000 permission
Xbits set. It then compares these files with the contents of a ``stop file''
Xcontaining
X.B "ls -lga"
Xoutput for known setuid or setgid programs.
XAny additions or changes to this list represent potential security
Xproblems, so they are reported by mail to system administrators for further
Xinvestigation.
X.SH FILES
X.nf
X/etc/findsuid/stop the ``stop file''
X.fi
X.SH "SEE ALSO"
Xfind(1), chmod(1), cron(8)
X.SH BUGS
XThe location of the stop file, the directories to be searched and the
Xnames of users to be informed of changes are all defined by shell variables
Xin the source.
X.PP
XKeeping the stop files up to date with changes to all
Xthe suid files on more than a couple of hosts is a royal pain!
!RoNnIe!RaYgUn!
echo x - findsuid.sh
sed -e 's/^X//' > findsuid.sh << '!RoNnIe!RaYgUn!'
X#! /bin/sh
X#
X# findsuid 840919 Prentiss Riddle
X#
X# Shell script intended to be run periodically by cron in order
X# to spot changes in files with the suid or sgid bits set.
X#
X# Findsuid uses find(1) to search the directories in $SEARCH for all
X# files with the 4000 or 2000 permission bits set. $STOP is a file
X# containing "ls -lga" output for known setuid or setgid programs.
X# Any additions or changes to this list represent potential security
X# problems, so they are reported to the users named in $INFORM.
X#
XINFORM="findsuid"
XSEARCH="/"
XSTOP=/etc/findsuid/stop
XTEMPOLD=/tmp/fsold$$
XTEMPCUR=/tmp/fscur$$
XTEMPNEW=/tmp/fsnew$$
XTEMPM=/tmp/fsm$$
X
Xumask 077
X# find the setuid programs and sort
Xfind $SEARCH \( -perm -4000 -o -perm -2000 \) -exec ls -lga {} \; | \
X sort > $TEMPCUR
X# compare with the sorted stop list
Xsort <$STOP >$TEMPOLD
Xcomm -13 $TEMPOLD $TEMPCUR | sort +8 >$TEMPNEW
X# report changes
Xif test -s $TEMPNEW; then
X echo 'Subject: New setuid or setgid files found on '`hostname`'.' >$TEMPM
X echo '' >>$TEMPM
X echo 'The following files have their setuid or setgid bits' >>$TEMPM
X echo 'set and are not listed in '$STOP >>$TEMPM
X echo 'or have changed:' >>$TEMPM
X echo '' >>$TEMPM
X cat $TEMPNEW >>$TEMPM
X /bin/mail $INFORM <$TEMPM
X /bin/rm $TEMPM
Xfi
X/bin/rm $TEMPOLD $TEMPCUR $TEMPNEW
!RoNnIe!RaYgUn!
echo x - stop.sample
sed -e 's/^X//' > stop.sample << '!RoNnIe!RaYgUn!'
X-rwsr-xr-x 1 root bin 10240 Jun 13 13:13 /bin/chgrp
X-rwsr-xr-x 1 root bin 12288 Jun 13 13:13 /bin/df
X-rws--s--- 1 root term 22528 Aug 13 13:13 /bin/login
X-rws------ 1 root bin 21504 Jun 13 13:13 /bin/login.old
X-rwsr-xr-x 1 root bin 22528 Jun 13 13:13 /bin/mail
X-rwsr-xr-x 1 root bin 14336 Jun 13 13:13 /bin/passwd
X-rwxr-sr-x 1 root MEM 22528 Jun 13 13:13 /bin/ps
X-rwsr-xr-x 1 root bin 16384 Jun 13 13:13 /bin/su
X-rwxr-sr-x 1 root MEM 14336 Jun 13 13:13 /etc/dmesg
X-rwsr-x--- 1 root operator 29696 Jun 13 13:13 /etc/dump
!RoNnIe!RaYgUn!
exit
More information about the Comp.unix.wizards
mailing list