Who is running SUID
Home Up Who is running SUID NIS+ and Trusted Sys AAA Server Intro NIS+ Passwd Tbl umask NIS+ Support Kerberos Install Kerberos Config Boot Authenticator Shadow Password Bundle



11.12.1 Find who is running SUID programs

HP-UX 11i Security, by Chris Wong, Prentice Hall PTR; ISBN: 0130330620



As we have seen, accounting can be used for more than collecting data on process usage, disk usage, and connect time. Not only can it collect the commands a user is issuing, you can use it to easily find a certain kind of command. If you've ever wondered what SUID programs are getting executed and how often, this is an easy way to do it.

Enable accounting as described in the last section.  When using the acctcom command, a "#" is displayed in the first column if the command issued was SUID. 

#passwd  jrice   pts/tb   13:01:51 13:01:51 0.15 0.09 0.00

uname    jrice   pts/tb   13:02:04 13:02:04 0.06 0.03 0.00

If the user issued a SUID command, the summary line for their shell will also display the "#":

#sh     jrice   pts/tb   13:01:36 13:02:06 30.83 0.25 0.00 

The lastcomm command will display an "S" rather than the "#":

sh       S   jrice  pts/tb 0.25 secs Fri Mar 1 13:01

uname        jrice  pts/tb 0.03 secs Fri Mar 1 13:01

passwd   S   jrice  pts/tb 0.09 secs Fri Mar 1 13:01

If you want to find all the SUID commands issued by non-root users:

acctcom | grep # | grep v root | grep v #sh
#sendmail vking   pts/ta  13:22:06 13:22:16 10.46    
#passwd   jrice   pts/tb  13:25:33 13:25:43 10.78 
#lp       bshaver pts/td  13:27:31 13:27:31  0.30  


 Copyright 2007 NEWFDAWG.COM All rights reserved.     Last modified: 02/03/07.