home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: B.2 Important Files in Your Home Directory Appendix B
Important Files
Next: C. UNIX Processes
 

B.3 SUID and SGID Files

To run a secure computer, you must know of every SUID and SGID file on the system and be sure that each file has the proper permissions for which it was designed.

Unfortunately, there is a huge amount of variation among UNIX vendors in the use of SUID and SGID . Some manufacturers use SUID root for all privilege-requiring programs, while some create special groups for controlling terminals (group tty ), or disks (group operator ), or memory (group kmem ). Some vendors use a variety of approaches. Most change their approaches to SUID and SGID from software release to software release. As a result, any attempt to list SUID and SGID files on a system that is not constrained to a particular release is likely to be incomplete.

You may also receive SUID or SGID files as part of third-party software that you may purchase or download from the net. Many of these third-party programs require SUID root permission because they modify devices or do things on behalf of users. If you choose to use these programs, you should seek assurance from the vendor that superuser privileges are confined to the smallest possible region of the program, and that, in general, rules such as those contained in Chapter 23, Writing Secure SUID and Network Programs , have been followed in coding the software. You may also wish to obtain written representations from the vendor that the security of the computer system will not be compromised as a result of SUID/SGID programs, and that, in the event that the system is compromised, the vendor will pay for damages.

B.3.1 SUID/SGID Files in Solaris 2.4 (SVR4)

This section contains a list of the SUID and SGID files found in Solaris 2.4, which is representative of System V Release 4 systems in general. Rather than simply presenting a complete list of files, we have annotated the reason that SUID or SGID permissions are set. Our goal is to teach you how to recognize the SUID/SGID files on your system, and make your own decision as to whether the privilege is justified, or whether some lesser privilege would suffice.

You can generate your own list of SUID files by using the command:

# find / -type f -perm -04000 -ls

You can generate a list of SGID files by using the command:

# find / -type f -perm -02000 -ls

B.3.1.1 SUID files

-r-sr-xr-x   1 root     sys       610480 Aug  3  1994 /sbin/su
-r-sr-xr-x   1 root     bin       559968 Aug  3  1994 /sbin/sulogin
-r-sr-xr-x   1 root     sys        15156 Jul 16  1994 /usr/bin/su

The su command is SUID root so it can alter the process's effective UID . We don't understand why sulogin needs to be SUID root , because it is only run when the system boots in single-user mode (and, presumably, it is already running as root ). The /sbin/su program is statically linked, which is why it is so much larger than /usr/bin/su , which uses shared libraries.

-rwsr-xr-x   1 root     sys        32144 Jul 15  1994 /usr/bin/at
-rwsr-xr-x   1 root     sys        12128 Jul 15  1994 /usr/bin/atq
-rwsr-xr-x   1 root     sys        10712 Jul 15  1994 /usr/bin/atrm

The at commands are SUID root because they run commands for all user IDs, and need root permissions to set the user and group permissions of jobs. Additionally, the directory where these jobs are stored is protected to prevent snooping and tampering with the files, and root permissions are used to enforce these protections.

-r-sr-xr-x   1 root     sys        29976 Jul 16  1994 /usr/bin/chkey

The chkey command is SUID root because it accesses the /etc/publickey database.

-r-sr-xr-x   1 root     bin        14600 Jul 15  1994 /usr/bin/
cron

The cron program is SUID root so that it can alter files in the /var/spool/cron directory. As with the at commands above, it also runs jobs under different user IDs and needs root privileges to do so.

-r-sr-xr-x   1 root     bin         9880 Jul 16  1994 /usr/bin/eject
-r-sr-xr-x   1 root     bin        22872 Jul 16  1994 /usr/bin/fdformat
-r-sr-xr-x   1 root     bin         4872 Jul 16  1994 /usr/bin/volcheck

These programs are SUID root because they directly manipulate the floppy disk device.

-r-sr-xr-x   1 root     bin        27260 Jul 16  1994 /usr/bin/login

login must be SUID root so that one user can use login to log in as another user without first logging out. If login were not SUID root , it could not change its real and effective UID to be that of another user. If the program is not SUID , then users need to log out before logging in as another user - a minor inconvenience. Many site administrators prefer this behavior and remove the SUID permission on login as a result.

-rwsr-xr-x   1 root     sys         9520 Jul 16  1994 /usr/bin/newgrp

newgrp is SUID root because it must alter the process's effective and real group IDs ( GIDS ).

-r-sr-sr-x   1 root     sys        11680 Jul 16  1994 /usr/bin/passwd

This program must be SUID root because it modifies the /etc/passwd or /etc/shadow files.

-r-sr-xr-x   1 root     sys        17800 Jul 16  1994 /usr/bin/ps
-r-sr-xr-x   1 root     bin        12080 Jul 16  1994 /usr/sbin/whodo

These programs are SUID root because they need access to the computer's /dev/mem and /dev/kmem devices, and to access some accounting files. Perhaps a safer approach would be to have a kmem group and have needed files be SGID kmem.

-r-sr-xr-x   1 root     bin        15608 Jul 15  1994 /usr/bin/rcp
-r-sr-xr-x   1 root     bin        60268 Jul 15  1994 /usr/bin/rdist
-r-sr-xr-x   1 root     bin        14536 Jul 15  1994 /usr/bin/rlogin
-r-sr-xr-x   1 root     bin         7920 Jul 15  1994 /usr/bin/rsh
-rwsr-xr-x   1 root     other       7728 Jul 16  1994 /usr/bin/yppasswd
-r-sr-x--x   1 root     bin       134832 Jul 16  1994 /usr/lib/sendmail
-r-sr-x--x   1 root     bin       137552 Jul 16  1994 /usr/lib/sendmail.mx
-r-sr-xr-x   1 root     bin        17968 Jul 15  1994 /usr/sbin/ping
-r-sr-xr-x   1 root     bin       510532 Jul 15  1994 /usr/sbin/static/rcp

In general, these programs are all SUID root because they need to create TCP/IP connections on ports below 1024. The sendmail program also needs the ability to modify files stored in its working directories. The ping program needs to use raw IP.

-rws--x--x   1 uucp     bin        55608 Jul 16  1994 /usr/bin/tip
---s--x--x   1 root     uucp       68816 Jul 15  1994 /usr/bin/ct
---s--x--x   1 uucp     uucp       81904 Jul 15  1994 /usr/bin/cu

These programs are SUID uucp so that they can access the dialer and modem devices.

-r-sr-xr-x   2 
root
     bin        10888 Jul 16  1994 /usr/bin/uptime
-r-sr-xr-x   2 
root
     bin        10888 Jul 16  1994 /usr/bin/w

We can't figure out why these programs are SUID root , as they access files ( /var/adm/utmp and /dev/kstat ) that are world-readable. These are hard links which you can verify by using ls -li.

---s--x--x   1 uucp     uucp     64240 Jul 15  1994 /usr/bin/uucp
---s--x--x   1 uucp     uucp     21304 Jul 15  1994 /usr/bin/uuglist
---s--x--x   1 uucp     uucp     17144 Jul 15  1994 /usr/bin/uuname
---s--x--x   1 uucp     uucp     60952 Jul 15  1994 /usr/bin/uustat
---s--x--x   1 uucp     uucp     68040 Jul 15  1994 /usr/bin/uux
---s--x--x   1 uucp     uucp      4816 Jul 15  1994 /usr/lib/uucp/remote.unknown
---s--x--x   1 uucp     uucp    169096 Jul 15  1994 /usr/lib/uucp/uucico
---s--x--x   1 uucp     uucp     32016 Jul 15  1994 /usr/lib/uucp/uusched
---s--x--x   1 uucp     uucp     81040 Jul 15  1994 /usr/lib/uucp/uuxqt

These programs are SUID uucp because they need to access privileged UUCP directories and files.

-r-sr-xr-x   1 root     bin        21496 Jul 16  1994 /usr/lib/exrecover

This file is SUID root so that it can access the directory in which editor recovery files are saved. As we have said in other places in the book, a more secure approach would be to have an account specifically created for accessing this directory, or to create user-owned subdirectories in a common save directory.

-r-sr-sr-x   1 root     tty       151352 Jul 15  1994 /usr/lib/fs/ufs/ufsdump
-r-sr-xr-x   1 root     bin       605348 Jul 15  1994 /usr/lib/fs/ufs/ufsrestore

These files are SUID root so that users other than the superuser can make backups. In the Solaris version of these commands, any user who is in the sys group can dump the contents of the system's disks and restore them without having root access. (As a result, having sys access on this operating system means that you can effectively read any file on the computer by using a combination of ufsdump and ufsrestore .) Note: the fact that users in the sys group can dump and undump tapes is not documented in the man page. Other programs may give undocumented privileges to users who happen to be in particular groups.

-rwsr-xr-x   1 root     adm         4008 Jul 15  1994 /usr/lib/acct/accton

There must be some reason that this program is SUID root . But, once again, we can't figure it out, as the program gives the error "permission denied" when it is run by anybody other than the superuser.

-rwsr-xr-x   3 root     bin        13944 Jul 16  1994 /usr/sbin/allocate
-rwsr-xr-x   3 root     bin        13944 Jul 16  1994 /usr/sbin/deallocate
-rwsr-xr-x   3 root     bin        13944 Jul 16  1994 /usr/sbin/list_devices

The allocate command allocates devices to users based on the Solaris allocation mechanism. For more information, refer to the Solaris documentation. We believe that the mkdevalloc and mkdevmaps commands are part of the same system, but they are not documented.

-rwsr-xr-x   1 root     sys        21600 Jul 16  1994 /usr/sbin/sacadm

The sacadm is the top-level entry point into the Service Access Facility system.

-rwsrwxr-x   1 root     bin        87808 Jun 24  1994 /usr/openwin/bin/xlock

We think that xlock needs to be SUID root so that it can read your password from the shadow file.

-r-sr-sr-x   1 root     sys        20968 Jun 27  1995 /usr/dt/bin/dtaction
-r-sr-xr-x   1 root     bin        69172 Jun 27  1995 /usr/dt/bin/dtappgather
-r-sr-xr-x   1 root     bin       134600 Jun 27  1995 /usr/dt/bin/dtsession
-r-sr-xr-x   1 root     bin       373332 Jun 27  1995 /usr/dt/bin/dtprintinfo
-r-sr-sr-x   1 root     daemon    278060 Jun 27  1995 /usr/dt/bin/sdtcm_convert

These programs all appear to perform session management as part of the Common Desktop Environment 1.0. We don't know why dtaction needs to be SUID root .

B.3.1.2 Undocumented SUID programs

The following programs are SUID and undocumented. This combination is dangerous, because there is no way to tell for sure what these programs are supposed to do, if they have their SUID/SGID bits properly set, or if they are even part of the standard operating system release.

---s--x--x   1 root     bin         3116 Jul 16  1994 /usr/lib/pt_chmod
-r-sr-xr-x   1 root     bin         5848 Jul 16  1994 /usr/lib/utmp_update
-rwsr-xr-x   1 root     bin         8668 Jul 16  1994 /usr/sbin/mkdevalloc
-rwsr-xr-x   1 root     bin         9188 Jul 16  1994 /usr/sbin/mkdevmaps
-r-sr-sr-x   1 root     bin        14592 Jul 15  1994 /usr/openwin/bin/ff.core
-rwsr-xr-x   1 root     bin        19580 Jun 24  1994 /usr/openwin/lib/mkcookie
-rwsr-sr-x   1 bin      bin         8288 Jul 16  1994 /usr/vmsys/bin/chkperm
-r-sr-xr-x   1 lp       lp           203 Jul 18  1994 /etc/lp/alerts/printer

B.3.1.3 SGID files

-rwxr-sr-x   1 root     sys       147832 Jul 15  1994 /usr/kvm/crash
-r-xr-sr-x   1 bin      sys        31440 Jul 15  1994 /usr/bin/netstat
-r-xr-sr-x   1 bin      sys        11856 Jul 16  1994 /usr/bin/nfsstat
-r-xr-sr-x   1 bin      sys        11224 Jul 16  1994 /usr/bin/ipcs
-r-xr-sr-x   1 root     bin         6912 Jul 15  1994 /usr/sbin/arp
-r-xr-sr-x   1 bin      sys         6280 Jul 16  1994 /usr/sbin/fusage
-r-xr-sr-x   1 root     sys        15128 Jul 16  1994 /usr/sbin/prtconf
-r-xr-sr-x   1 bin      sys         7192 Jul 16  1994 /usr/sbin/swap
-r-xr-sr-x   1 root     sys        21416 Jul 16  1994 /usr/sbin/sysdef
-r-xr-sr-x   1 bin      sys         5520 Jul 15  1994 /usr/sbin/dmesg
-rwxr-sr-x   1 root     sys        12552 Jul 18  1994 /usr/openwin/bin/wsinfo
-rwxrwsr-x   1 root     sys         9272 Jul 18  1994 /usr/openwin/bin/xload

These programs examine and/or modify memory of the running system and use group permissions to read the necessary device files.

-r-xr-sr-x   1 bin      sys        28696 Jul 16  1994 /usr/kvm/eeprom

The eeprom program allows you to view or modify the contents of the system's EEPROM . It should probably not be executable by non-root users.

-r-x--s--x   1 bin      mail       65408 Jul 16  1994 /usr/bin/mail
-r-x--s--x   1 bin      mail      132888 Jul 16  1994 /usr/bin/mailx
-r-xr-sr-x   1 root     mail      449960 Jul 15  1994 /usr/openwin/bin/mailtool
-r-xr-sr-x   1 bin      mail      825220 Jun 27  1995 /usr/dt/bin/dtmail
-r-xr-sr-x   1 bin      mail      262708 Jun 27  1995 /usr/dt/bin/dtmailpr

The mail programs can be used to send mail or read mail in the /var/mail directory. We are not certain why these programs need to be SGID mail ,; however, we suspect it involves lock management.

-r-sr-sr-x   1 root     sys        20968 Jun 27  1995 /usr/dt/bin/dtaction

This is another part of the Common Desktop Environment system. We don't know why it is both SUID and SGID .

-r-sr-sr-x   1 root     sys        11680 Jul 16  1994 /usr/bin/passwd

We do not know why this program needs to be both SUID root and SGID sys .

-r-xr-sr-x   1 bin      tty       9984 Jul 16  1994 /usr/bin/write
-r-sr-sr-x   1 root     tty     151352 Jul 15  1994 /usr/lib/fs/ufs/ufsdump
-r-xr-sr-x   1 bin      tty       9296 Jul 16  1994 /usr/sbin/wall

These programs are SGID tty so that they can write on the devices of users.

-rwxr-sr-x   1 root     root      650620 Jun 24  1994 /usr/openwin/bin/Xsun

Xsun is the X-Window server for the Sun. It is SGID so that it can access necessary device files.

-r-sr-sr-x   1 root   daemon  278060 Jun 27  1995 /usr/dt/bin/sdtcm_convert

This program converts files from the Open Windows calendar data format version 3 to version 4. According to the documentation, sdtcm_convert must be run by the superuser or the owner of the calendar. Users can only run the program on their own calendars; the superuser can run the program on any calendar. Because the /var/spool/calendar directory is mode 3777, there should be no reason for this program to be SUID or SGID .

B.3.1.4 Undocumented SGID files

These files are not documented in the Solaris system documentation:

-r-sr-sr-x   1 root     bin        14592 Jul 15  1994 /usr/openwin/bin/ff.core
-rwsr-sr-x   1 bin      bin         8288 Jul 16  1994 /usr/vmsys/bin/chkperm

B.3.2 SUID/SGID Files in Berkeley UNIX

This list of SUID and SGID files in Berkeley UNIX was derived by looking at computers made by Sun Microsystems, Digital Equipment Corporation, and NeXT Inc. The list of SUID and SGID files on your version of Berkeley UNIX is likely to be different. For this reason, we not only list which files are SUID and SGID , we also explain why they are SUID or SGID . After reading this list, you should be able to look at all of the SUID and SGID files on your system and figure out why your files have been set in particular ways. If you have a question about a file that is SUID or SGID , consult your documentation or contact your vendor.

B.3.2.1 SUID files

-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989 /usr/etc/ping

ping must be SUID root so that it can transmit ICMP ECHO requests on the raw IP port.

-r-s--x--x 1 root     wheel    16384 Aug 18 1989 /usr/etc/timedc

The timedc (Time Daemon Control) program must be SUID root so that it can access the privileged time port.

-r-sr-x--x 3 root     wheel    81920 Sep  7 1989 /usr/lib/sendmail
-r-sr-x--x 3 root     wheel    81920 Sep  7 1989 /usr/bin/newaliases
-r-sr-x--x 3 root     wheel    81920 Sep  7 1989 /usr/bin/mailq

These programs are all hard links to the same binary. The sendmail program must be SUID root because it listens on TCP/IP port 25, which is privileged.

-rwsr-xr-x 1 root     wheel    16384 Aug 15 1989 /usr/lib/ex3.7recover
-rwsr-xr-x 1 root     wheel    16384 Aug 15 1989 /usr/lib/ex3.7preserve

These programs, part of the vi editor system, must be SUID root so they can read and write the backup files used by vi . (These are often SGID preserve .)

-rws--x--x 1 root     wheel   40960 Nov 15 1989 /usr/lib/lpd
-rws--s--x 1 root     daemon  24576 Sep  6 1989 /usr/ucb/lpr
-rws--s--x 1 root     daemon  24576 Sep  6 1989 /usr/ucb/lpq
-rws--s--x 1 root     daemon  24576 Sep  6 1989 /usr/ucb/lprm

The line-printer daemon must be SUID root so it can listen on TCP/IP port 515, the printer port, and so can read and write files in the /usr/spool/lpd directory. Likewise, the line-printer user commands must be SUID so they can access spool files and the printer device.

-rwsr-xr-x 1 root     wheel    24576 Aug 18 1989 /bin/ps
-rwsr-xr-x 2 root     wheel    57344 Aug 18 1989 /usr/ucb/w
-rwsr-xr-x 2 root     wheel    57344 Aug 18 1989 /usr/ucb/uptime
-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989 /usr/bin/iostat

These programs must be SUID root because they need to read the kernel's memory to generate the statistics that they print. On some systems, these programs are distributed SGID kmem , and /dev/kmem is made readable only by this group. This second approach is more secure than the first approach.

-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989 /usr/ucb/quota

The quota command must be SUID root so that it can read the quota file.

-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989  /usr/ucb/rcp
-rwsr-x--x 1 root     wheel    32768 Aug 18 1989  /usr/ucb/rdist
-rwsr-xr-x 1 root     wheel    16384 Aug 23 1989  /usr/ucb/rlogin
-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989  /usr/ucb/rsh
-rwsr-sr-x 1 root     tty      32768 Nov 11 17:17 /usr/etc/rdump

These programs must be SUID root because they use privileged ports to do username authentication.

-rwsr-xr-x 1 daemon   wheel    16384 Aug 18 1989 /usr/bin/atq
-rwsr-xr-x 1 daemon   wheel    16384 Aug 18 1989 /usr/bin/at
-rwsr-xr-x 1 daemon   wheel    16384 Aug 18 1989 /usr/bin/atrm

These programs must be SUID because they access and modify spool files that are kept in privileged directories.

-rws--x--x 2 root    daemon  205347 Sep 29 10:14 /usr/bin/tip
-rws--x--x 2 root    daemon  205347 Sep 29 10:14 /usr/bin/cu

tip and cu , which are both hard links to the same binary, must be SUID root so that they can have physical access to the modem device. On some systems, these files may be SUID UUCP .

-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989 /bin/login

login must be SUID root so that one user can use login to log in as another user, without first logging out. If login were not SUID root , it could not change its real and effective UID to be that of another user.

-rwsr-xr-x 1 root     wheel    16384 Aug 21 1989 /bin/mail

mail must be SUID root so that it can append messages to a user's mail file.

-rwsr-xr-x 1 root     wheel    16384 Aug 18 1989 /bin/passwd
-rwsr-xr-x 1 root     system   28672 Feb 21 1990 /usr/ucb/chsh
-rwsr-xr-x 1 root     system   28672 Feb 21 1990 /usr/ucb/chfn

These programs must be SUID root because they modify the /etc/passwd file.

-rwsr-xr-x 1 root     wheel    16384 Sep 3 1989 /bin/su

su must be SUID root so it can change its process's effective UID to that of another user.

--s--s--x 1 uucp    daemon  24576 Sep 3 1989  /usr/bin/uucp 
--s--s--x 1 uucp    daemon  24576 Sep 3 1989  /usr/bin/uux
--s--s--x 1 uucp    daemon  16384 Sep 3 1989  /usr/bin/uulog
--s--s--x 1 uucp    daemon  16384 Sep 3 1989  /usr/bin/uuname
--s--s--x 1 uucp    daemon  16384 Sep 3 1989  /usr/bin/uusnap
--s--s--x 1 uucp    daemon  24576 Sep 3 1989  /usr/bin/uupoll
--s--s--x 1 uucp    daemon  16384 Sep 3 1989  /usr/bin/uuq
--s--s--x 2 uucp    daemon  16384 Sep 3 1989  /usr/bin/uusend
--s--s--x 2 uucp    daemon  16384 Sep 3 1989  /usr/bin/ruusend
--s--s--x 1 uucp    daemon  90112 Sep 3 1989  /usr/lib/uucp/uucico
--s--s--x 1 uucp    daemon  24576 Sep 3 1989  /usr/lib/uucp/uuclean
--s--s--- 1 uucp    daemon  32768 Sep 3 1989  /usr/lib/uucp/uuxqt
--s--x--x 1 uucp    daemon  32768 Feb 21 1990 /usr/var/uucp/uumonitor
--s--x--x 1 uucp    daemon  86016 Feb 21 1990 /usr/var/uucp/uucompact
--s--x--x 1 uucp    daemon  77824 Feb 21 1990 /usr/var/uucp/uumkspool
--s------ 1 uucp    daemon  90112 Feb 21 1990 /usr/var/uucp/uurespool

These UUCP files are SUID uucp so they can access and modify the protected UUCP directories. Not all of these will be SUID in every system.

-rwsr-xr-x 1 root     system   954120 Jun 8 03:58 /usr/bin/X11/xterm
-rwsr-xr-x 1 root     system   155648 Nov 16 1989 /usr/lib/X11/getcons

xterm is SUID because it needs to be able to change the ownership of the pty that it creates for the X terminal. getcons is SUID because it needs to be able to execute a privileged kernel call.

B.3.2.2 SGID files



-rwxr-sr-x 1 root     kmem    4772 Nov 11 17:07 /usr/etc/arp
-rwxr-sr-x 1 root     kmem    2456 Nov 11 17:14 /usr/etc/dmesg
-rwxr-sr-x 1 root     kmem    4276 Nov 11 17:35 /usr/etc/kgmon
-rwxr-sr-x 1 root     kmem    5188 Nov 11 18:16 /usr/etc/vmmprint
-rwxr-sr-x 1 root     kmem    3584 Nov 11 18:16 /usr/etc/vmoprint
-rwxr-sr-x 1 root     kmem    5520 Nov 11 20:38 /usr/etc/nfsstat
-r-xr-sr-x 1 root     kmem   32768 Oct 22 10:30 /usr/ucb/gprof
-rwxr-sr-x 1 root     kmem   40960 Nov 11 18:39 /usr/ucb/netstat
-rwxr-sr-x 1 root     kmem   24576 Nov 11 18:57 /usr/ucb/sysline
-rwxr-sr-x 1 root     kmem   76660 Jun 8 03:56  /usr/bin/X11/xload

These commands are SGID because they need to be able to access the kernel's memory.

-rwxr-sr-x 1 root     tty      2756 Nov 11 17:05 /bin/wall
-rwxr-sr-x 1 root     tty      4272 Nov 11 17:06 /bin/write

These commands are SGID because they need to be able to access the raw terminal devices.

---s--s--x 1 uucp    daemon  90112 Nov 11 20:25 /usr/lib/uucp/uucico
---s--s--x 1 uucp    daemon  11136 Nov 11 20:25 /usr/lib/uucp/uuclean
---s--s--- 1 uucp    daemon  32768 Nov 11 20:26 /usr/lib/uucp/uuxqt
---s--s--x 1 uucp    daemon  24576 Nov 11 20:25 /usr/bin/uucp
---s--s--x 1 uucp    daemon  24576 Nov 11 20:25 /usr/bin/uux
---s--s--x 1 uucp    daemon   4620 Nov 11 20:25 /usr/bin/uulog
---s--s--x 1 uucp    daemon   5776 Nov 11 20:25 /usr/bin/uuname
---s--s--x 1 uucp    daemon   4260 Nov 11 20:26 /usr/bin/uusnap
---s--s--x 1 uucp    daemon  24576 Nov 11 20:26 /usr/bin/uupoll
---s--s--x 1 uucp    daemon   8716 Nov 11 20:26 /usr/bin/uuq
---s--s--x 2 uucp    daemon   3548 Nov 11 20:26 /usr/bin/uusend
---s--s--x 2 uucp    daemon   3548 Nov 11 20:26 /usr/bin/ruusend

These commands are all SGID because they need to be able to access UUCP spool files.

-rwx--s--x 1 root    daemon  24576 Oct 27 18:39 /usr/etc/lpc
-rws--s--x 1 root    daemon  40960 Oct 27 18:39 /usr/lib/lpd
-rws--s--x 1 root    daemon  24576 Oct 27 18:39 /usr/ucb/lpr
-rws--s--x 1 root    daemon  24576 Oct 27 18:39 /usr/ucb/lpq
-rws--s--x 1 root    daemon  24576 Oct 27 18:39 /usr/ucb/lprm

These commands are all SGID because they need to be able to access the line-printer device and spool files.

-rwxr-sr-x 1 root    operator 6700 Nov 11 16:53 /bin/df

This command is SGID because it needs access to the raw disk device (which is owned by the group operator on some versions of Berkeley UNIX ).


Previous: B.2 Important Files in Your Home Directory Practical UNIX & Internet Security Next: C. UNIX Processes
B.2 Important Files in Your Home Directory Book Index C. UNIX Processes