Previous Topic: sesudo Utility—Execute a Command as Another User on WindowsNext Topic: seversion Utility—Display CA ControlMinder Program Module Version Information


seuidpgm Utility—Extract Trusted Programs

Valid on UNIX

The seuidpgm utility extracts all the programs whose Set‑User‑ID bit or Set‑Group‑ID bits are on. seuidpgm traverses a file system and creates the selang commands for adding these programs to the PROGRAM class.

seuidpgm creates the commands in the selang command language and writes them to the standard output. You can use a pipeline to the selang utility, or redirect the output to a file. We recommended that you redirect the output to a file, because then you can edit the output to remove unwanted programs or add additional programs. Use this procedure to search for undesirable setuid programs in your system.

Note: We recommended that you run the UxImport utility to define users and groups before running the seuidpgm utility. However, if you have not run UxImport, you can use seuidpgm with the ‑g and ‑u options to define users and groups.

seuidpgm descends through the paths specified at the command line to all subdirectories of the starting path. Multiple start paths are allowed.

You can specify any number of options. When specifying more than one option, separate the options with spaces.

If a program is a setuid program and has write access, seuidpgm treats the program like all other setuid programs, but also sends a warning to standard error.

Note: For more information on how to control PROGRAM class records, see the Endpoint Administration Guide for UNIX.

This command has the following format:

seuidpgm option startDir ... [-x excludeDir]
‑d

Automatically creates entries for setuid and setgid programs in the PROGRAM class, with defaccess set to execute, instead of analyzing the file permissions in UNIX to determine the permitted file access. In some cases, one setuid or setgid program executes another one. If you do not include this option, the program trying to execute the setuid or setgid program is not able to execute it.

We recommend that you use this option.

‑f

Creates rules for both the FILE and PROGRAM classes.

‑g

Creates GROUP records for setgid programs.

Note: Use this option only if you have not run UxImport.

‑l

Creates a single permit for programs which have hard or symbolic links.

If you want to scan your file system from some directories only (not from the root directory) and to include the ‑l option, use multiple starting paths on the command line; otherwise the ‑l option may be inefficient.

‑n

Does not traverse NFS at all.

We recommend that you use this option.

‑o

Writes the file names to the standard output but does not create selang commands.

‑p

Enables setuid programs from NFS directories, but only when the mount table allows setuid from that mounted file system.

‑q

Runs the utility in Quiet‑Mode; error messages are not sent to standard error.

‑s

Creates entries for setuid/setgid programs in class SECFILE, instead of creating entries for the PROGRAM class.

‑u

Creates USER records for setuid programs.

Note: Use this option only if you have not run UxImport.

‑x excludeDir

Excludes a directory from the tree. The specified directory is not searched for setuid and setgid programs. This option must be the last option specified in the command line. Path is the full path of the directory to be excluded. To exclude more than one directory, repeat the ‑x option for each directory.

startDir

Specifies a space-separated list of top directories to search for trusted programs.

Examples

More information:

selang Utility—Run the CA ControlMinder Command Line

UxImport Utility—Extract Information from the UNIX Operating System

seoswd Daemon

seosd Daemon