How to Avoid File Permission Hacks to Linux Systems

By Kevin Beaver

It’s a good idea to check your file permissions to avoid hacks in Linux. Hackers can use this to their advantage if you aren’t careful. In Linux, special file types allow programs to run with the file owner’s rights:

  • SetUID (for user IDs)

  • SetGID (for group IDs)

SetUID and SetGID are required when a user runs a program that needs full access to the system to perform its tasks. For example, when a user invokes the passwd program to change his or her password, the program is actually loaded and run without root or any other user’s privileges.

This is done so that the user can run the program and the program can update the password database without the root account being involved in the process.

File permission hacks to Linux

By default, rogue programs that run with root privileges can be easily hidden. An external attacker or malicious insider might do this to hide hacking files, such as rootkits, on the system. This can be done with SetUID and SetGID coding in their hacking programs.

Countermeasures against Linux file permission attacks

You can test for rogue programs by using both manual and automated testing methods.

Manual testing

The following commands can identify and print to the screen SetUID and SetGID programs:

  • Programs that are configured for SetUID:

    find / -perm -4000 –print
  • Programs that are configured for SetGID:

    find / -perm -2000 –print
  • Files that are readable by anyone in the world:

    find / -perm -2 -type f –print
  • Hidden files:

    find / -name ".*"

You probably have hundreds of files in each of these categories, so don’t be alarmed. When you discover files with these attributes set, you need to make sure that they are actually supposed to have those attributes by researching in your documentation or on the Internet, or by comparing them to a known secure system or data backup.

Keep an eye on your systems to detect any new SetUID or SetGID files that suddenly appear.

Automatic testing

You can use an automated file-modification auditing program to alert you when these types of changes are made. It’s a lot easier on an ongoing basis:

  • A change-detection application, such as Tripwire, can help you keep track of what changed and when.

  • A file-monitoring program, such as COPS, finds files that have changed in status (such as a new SetUID or removed SetGID).