/usr/share/checksecurity/check-setuid is in checksecurity 2.0.16+nmu1ubuntu1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 | #!/bin/sh
#
# Check-setuid checksecurity plugin
#
# This script is designed to find the setuid files present on the system
#
# It is part of the 'checksecurity' package, and tests may be configured
# by the global file '/etc/checksecurity.conf' and the file
# '/etc/checksecurity/check-setuid.conf'.
#
# Copyright (C) 2003-2005 Steve Kemp <skx@debian.org>
#
# Licensed under the GNU General Public License
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
set -e
PATH=/sbin:/bin:/usr/sbin:/usr/bin
umask 027
cd /
if [ -e /etc/checksecurity/check-setuid.conf ]
then
. /etc/checksecurity/check-setuid.conf
fi
if [ `/usr/bin/id -u` != 0 ] ; then
echo "Only root has permission to run this script"
exit 1
fi
TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
#
# Check for NFS/AFS mounts that are not nosuid/nodev
#
if [ ! "$CHECKSECURITY_NONFSAFS" = "TRUE" ] ; then
# temporarily disable error exit, as grep may give errors if no nfs/afs
# are mounted.
set +e
nfssys=`mount | grep -E 'type (nfs|afs)' | grep -vE '\(.*(nosuid|noexec).*nodev.*\)'`
nfssyscnt=`echo $nfssys |grep "[a-z]"| wc -l`
set -e
if [ $nfssyscnt -gt 0 ] ; then
echo "The following NFS or AFS filesystems are mounted insecurely:"
echo ""
echo $nfssys
echo ""
echo "If this is intentional and you have supreme confidence in the"
echo "security of the server for these file systems, you may disable"
echo "this message by editing the value of CHECKSECURITY_NONFSAFS in"
echo "the file /etc/checksecurity/check-setuid.conf."
fi
fi
if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
exec 9>&2
exec 2>/dev/null
fi
# Guard against undefined vars
[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
if [ ! -e "$LOGDIR" ] ; then
echo "ERROR: Log directory $LOGDIR does not exist"
exit 1
fi
if [ -n "$CHECKSECURITY_PATHFILTER" ]; then
PATHCHK="( $CHECKSECURITY_PATHFILTER ) -prune -o"
else
PATHCHK=" -prune -o"
fi
if [ -n "$CHECKSECURITY_DEVICEFILTER" ]; then
DEVCHK="-a -not ( $CHECKSECURITY_DEVICEFILTER )"
else
DEVCHK=""
fi
# This is the only way to pass '*' through a variable (NODEVDIRS) -- Marc
set -o noglob
ionice -t -c3 \
find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
-ignore_readdir_race \
-xdev $PATHCHK \
\( -type f -perm /06000 -o \( \( -type b -o -type c \) \
$DEVCHK \) \) \
-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
sort -k 12 >$TMPSETUID
set +o noglob
if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
exec 2>&9
fi
cd $LOGDIR
test -f setuid.today || touch setuid.today
if cmp -s setuid.today $TMPSETUID >/dev/null
then
:
else
diff -U0 setuid.today $TMPSETUID >> $TMPDIFF || [ $? = 1 ]
echo "`hostname` changes to setuid programs and devices:"
cat $TMPDIFF
if [ `cat $TMPDIFF | wc -l` -gt 0 -a ! -z "$CHECKSECURITY_EMAIL" ]; then
/usr/bin/mail -s "Setuid changes for `hostname -f` on `date '+%D %T'`" $CHECKSECURITY_EMAIL < $TMPDIFF
fi
# Log the changes
cp $TMPDIFF setuid.changes
mv setuid.today setuid.yesterday
mv $TMPSETUID setuid.today
chown root:adm setuid.today
fi
rm -f $TMPDIFF
rm -f $TMPSETUID
exit 0
|