C 4 suid.chk - find changes in setuid and setgid files suid.chk [ -m user ] [ -n ] [ -o file ] [ -s secure_dir ] [ -S start_dir ] [ -x ] suid.chk is a shell script intended to be run periodically by cron (8) in order to spot changes in files with the suid or sgid bits set.

suid.chk uses find (1) to search system directories for all files with the 4000 or 2000 permission bits set. It then compares these files with the contents of a ``stop file'' (by default suid.stop) containing ``ls -lga'' output for known setuid or setgid programs. In addition, it flags any setuid or setgid programs that are either world-writable or shell scripts. Any additions or changes to this list represent potential security problems, so they are reported by mail to system administrators for further investigation.

-m user Mail the results to this user.

-n Do *not* follow NFS mounted partitions. This is probably not portable on most machines -- check the string in the source code that does the work; on a sun, it's:

-o Writes the results to a file, rather than mailing it.

-s secure_dir Sets the secure dir, good for running this in cron -- else it'll think it's "/", and you'll chmod that to 700 :-)

-S Set the search directory where the find starts. Warning -- does not work with the -x flag!

"-type d \\( -fstype nfs -prune \\)";

suid.stop (the ``stop file'')

find(1), chmod(1), cron(8)

The location of the stop file and the directories to be searched are all defined by shell variables in the source. The -S and -x flags do not work together.

Keeping the stop files up to date with changes to all the suid files on more than a couple of hosts is a royal pain!