2

I'm writing an audit script to find all files with SUID & SGID bit set on the system, using the below command:

find / perm /u=s,g=s

The script will run with a non-root user. Will this user be able to (have permission) to search for all files with SUID/SGID bit set?

If not which specific permission would need to be granted to the user to accomplish this?

The Script would be run mainly on an RHEL system.

0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
user116840
  • 21
  • 2
  • Check out `man sudoers` to configure your user to be able to invoke said script as root and without password. But make sure that your script allows for no escape into an interactive shell of any kind. – 0xC0000022L May 26 '15 at 15:47
  • I think that you only need CAP_DAC_READ_SEARCH, not root (see http://man7.org/linux/man-pages/man7/capabilities.7.html and http://unix.stackexchange.com/questions/101263/what-are-the-different-ways-to-set-file-permissions-etc-on-gnu-linux ) – ctrl-alt-delor Jun 28 '16 at 10:49

1 Answers1

1

Well, to be sure, you'll need to run that script with escalated permissions.

Imagine that someone has an suid program inside the following directory:

$ ls -ld sneaky
d--x------. 2 user111 g1 4096 May 26 17:19 sneaky
$ ./sneaky/test.sh
runs

Your script will not be able to find that file, even if your program runs as user user111.

Otheus
  • 5,945
  • 1
  • 22
  • 53
  • If the non-root user is granted sudo permission only for the 'find' command, will it work? – user116840 May 26 '15 at 15:24
  • Yes/no. If the find command is looking for the permissions, yes. But once you have the filename, the non-escalated process won't be able to read or even list the file. But if you're OK with that, sudo the find. – Otheus May 26 '15 at 15:30
  • `sudo find /etc -iname shadow -exec .....` You may want to restrict your `sudo` permissions a bit tighter than that. – Shadur Jun 12 '15 at 05:29