Checking for Set-UIDs in the root Filesystem

Checking for Set-UIDs in the root Filesystem

The following command line reports all files with a set-UID for the root filesystem (not just those owned by root) on EFS filesystems:

ncheck -s /dev/root | xargs ls -ld | cut -f2 | grep -v ~/dev/ 
ls -l '/etc/ncheck -s /dev/root | cut -f2 | grep -v dev'

The ncheck(1M) command, by itself, can be used on a mounted or unmounted file system. Only the superuser may use ncheck. The normal output of the ncheck -s command includes special files. Here, the grep command removes device files from the output. This filtering is applicable only for the root filesystem. The output of the modified ncheck is then used as an argument to the ls command. The filesystem must be mounted for the ls command to succeed. In this example output, nothing looks suspicious:

-r-sr-xr-x  1 root   bin    12524   Aug 11 01:27 /bin/df 
-rwxr-sr-x  1 root   sys    32272   Aug 10 15:53 /bin/ipcs 
-r-xr-sr-x  2 bin    mail   32852   Aug 11 01:28 /bin/mail 
-r-sr-xr-x  1 root   sys    11416   Aug 11 01:26 /bin/mkdir 
-rwsr-xr-x  1 root   sys    21780   Aug 11 01:27 /bin/newgrp 
-r-sr-sr-x  1 root   sys    23000   Aug 11 01:27 /bin/passwd 
-r-xr-sr-x  1 bin    sys    27964   Aug 11 01:28 /bin/ps 
-r-xr-sr-x  2 bin    mail   32852   Aug 11 01:28 /bin/rmail 
-r-sr-xr-x  1 root   sys    11804   Aug 11 01:26 /bin/rmdir 
-r-sr-xr-x  1 root   sys    23824   Aug 11 01:27 /bin/su 
-r-xr-sr-x  1 bin    sys    21212   Aug 10 16:08 /etc/whodo

For XFS filesystems, use the find command:

find / -perm -4000 -print