Valid on UNIX
The seuidpgm utility extracts all the programs whose Set‑User‑ID bit or Set‑Group‑ID bits are on. seuidpgm traverses a file system and creates the selang commands for adding these programs to the PROGRAM class.
seuidpgm creates the commands in the selang command language and writes them to the standard output. You can use a pipeline to the selang utility, or redirect the output to a file. We recommended that you redirect the output to a file, because then you can edit the output to remove unwanted programs or add additional programs. Use this procedure to search for undesirable setuid programs in your system.
Note: We recommended that you run the UxImport utility to define users and groups before running the seuidpgm utility. However, if you have not run UxImport, you can use seuidpgm with the ‑g and ‑u options to define users and groups.
seuidpgm descends through the paths specified at the command line to all subdirectories of the starting path. Multiple start paths are allowed.
You can specify any number of options. When specifying more than one option, separate the options with spaces.
If a program is a setuid program and has write access, seuidpgm treats the program like all other setuid programs, but also sends a warning to standard error.
Note: For more information on how to control PROGRAM class records, see the Endpoint Administration Guide for UNIX.
This command has the following format:
seuidpgm option startDir ... [-x excludeDir]
Automatically creates entries for setuid and setgid programs in the PROGRAM class, with defaccess set to execute, instead of analyzing the file permissions in UNIX to determine the permitted file access. In some cases, one setuid or setgid program executes another one. If you do not include this option, the program trying to execute the setuid or setgid program is not able to execute it.
We recommend that you use this option.
Creates rules for both the FILE and PROGRAM classes.
Creates GROUP records for setgid programs.
Note: Use this option only if you have not run UxImport.
Creates a single permit for programs which have hard or symbolic links.
If you want to scan your file system from some directories only (not from the root directory) and to include the ‑l option, use multiple starting paths on the command line; otherwise the ‑l option may be inefficient.
Does not traverse NFS at all.
We recommend that you use this option.
Writes the file names to the standard output but does not create selang commands.
Enables setuid programs from NFS directories, but only when the mount table allows setuid from that mounted file system.
Runs the utility in Quiet‑Mode; error messages are not sent to standard error.
Creates entries for setuid/setgid programs in class SECFILE, instead of creating entries for the PROGRAM class.
Creates USER records for setuid programs.
Note: Use this option only if you have not run UxImport.
Excludes a directory from the tree. The specified directory is not searched for setuid and setgid programs. This option must be the last option specified in the command line. Path is the full path of the directory to be excluded. To exclude more than one directory, repeat the ‑x option for each directory.
Specifies a space-separated list of top directories to search for trusted programs.
Examples
seuidpgm ‑dlqn /usr /var /etc > ~/seprogs.seos
The output should look similar to the following:
## *************************************************
## seuidpgm List Sun Feb 9 14:24:16 1997 # Start Path= /usr # ************************************************ nr PROGRAM /usr/lpp/bos/inst_root/lpp/inu_LOCK defaccess(EXEC) nr PROGRAM /usr/lpp/X11/bin/xlock defaccess(EXEC) nr PROGRAM /usr/bin/setsenv defaccess(EXEC) nr PROGRAM /usr/bin/shell defaccess(EXEC) nr PROGRAM /usr/bin/su defaccess(EXEC) nr PROGRAM /usr/bin/sysck defaccess(EXEC) nr PROGRAM /usr/bin/tcbck defaccess(EXEC) nr PROGRAM /usr/bin/usrck defaccess(EXEC) nr PROGRAM /usr/bin/vmstat defaccess(EXEC)
seuidpgm ‑qln / ‑x /home
Copyright © 2013 CA Technologies.
All rights reserved.
|
|