1 Reply Latest reply on Sep 21, 2011 5:17 AM by Gerardo Bartoccini

    Simple (?) compliance rule about SUID

    Gerardo Bartoccini


      I am building a compliance rule which will check if a specific file has got the SUID bit set.

      I took /usr/bin/wall as an example. On my test server, here's how it looks like:


      [as1 bin]$ ls -l /usr/bin/wall

      -r-xr-sr-x 1 root tty 14824 Sep 17  2008 /usr/bin/wall

      [as1 bin]$


      The script used by CIS actually finds it:


      [as1 bin]$ find /usr/bin -type f \( -perm -02000 \) -print







      [as1 bin]$


      However, my compliance rule won't match.

      I have tried the following:


      "File:/usr/bin/wall"."Permissions (Unix) (Unix)" has no flags "SetUID"




      "File:/usr/bin/wall"."Permissions (Unix) (Unix)" does not have any flag "SetUID"


      but no luck.

      I would rather not script it, as customer complians we script too much :-)


      Any clues?

        • 1. Re: Simple (?) compliance rule about SUID
          Gerardo Bartoccini

          I figured out how it works.


          I will summarize here my findings should someone face the same issue.


          Here's how the SetUID bit looks like:


          (4000) --s --- ---



          Here's how the SetGID bit looks like:


          (2000) --- --s ---



          Here's how the Sticky bit looks like:


          (1000) --- --- --t




          This means that the tool in my example (/usr/bin/wall) has got the SetGID bit set.


          Actually, BladeLogic marks it as non-compliant if the rule looks like:


          "File:/usr/bin/wall"."Permissions (Unix) (Unix)" has no flags "SetGID"