Finding Files With SUID Binaries

SUID stands for “Set User ID”, and it is a special type of permission that can be given to a file so the file is always run with the permissions of the owner instead of the user executing it. This is necessary for a lot of programs to work properly in Unix. The ping program requires root privileges to create network sockets. It is also a program that is commonly used by non-privileged users to test network connections. Instead of only allowing users with elevated privileges to run ping, the SUID permission is placed on the file so that anyone can run the program with root privileges. Because ping is a tried and tested program, it has been deemed safe to be run with SUID permissions.

Other programs have various ways of abusing SUID privileges because they have additional features that allow a user to “break out” of the intended functionality.

You can use these commands to find a list of SUID enabled executables on a Unix machine:

find / -user root -perm -4000 -print 2>/dev/null

find / -type f -perm -04000 -ls 2>/dev/null

find / -type f -perm -u=s 2>/dev/null | xargs ls -l

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} \;