Ensure That Unnecessary SUID and SGID Bits Are Removed
In Linux, Set User ID (SUID) and Set Group ID (SGID) are special permission bits used in UNIX and Unix-like OSs to control program execution privileges. They allow an executable to run with the permissions of the file owner or its owner group. To ensure system security, unnecessary SUID and SGID bits should not be set on files, as they pose potential security risks.
- Run the following command to search for SUID and SGID files in the system:
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;- If no command output is displayed, no such files exist in the system.
- If any SUID or SGID files are listed, you must review them to determine whether such privileges are genuinely required. Generally, only specific system utilities or programs require SUID or SGID permissions, while the vast majority of files do not.
- If a file does not require SUID or SGID privileges, you can either delete the file itself or remove its SUID and SGID bits.
- To delete the file:
rm -rf /path/to/file
- To remove the SUID and SGID bits from the file:
chmod u-s,g-s /path/to/file
- To delete the file:
Parent topic: Manual Configuration Items