Hi.
If you cannot remove the SUID-bit even though you are root, you might already be hacked (if you haven't set any protection yourself). Try issuing "lsattr /usr/bin/rsh". If you see an "i" between the "-" marks, then there is an immutable flag set to that file. This means that the file is protected and you cannot touch it unless you unset the flag by issuing "chattr -i <file>". If there was an immutable flag that you haven't set, I strongly recommend that you reinstall your system (and then reconfigure it secure:) since you really cannot how the intruders have backdoored your machine. Regards, - Petrus On Mon, 3 Jun 2002, Eric wrote: > I am trying to delimit the number of programs that have SUID permission. > Following a friendly recommendation, I found the programs that have SUID by: > > find / -type f -perm -u+s -or -perm -g+s > > > I attempted to change SUID on some of the results, again following a suggestion: > > chmod -s file > > However, this command works sometimes, and sometimes only results in > a "permission denied, operation not permitted" message. For > instance, /usr/bin/cu and /usr/bin/rsh resulted in that error message, > but /usr/bin/lpr did work. Why the difference? > > Thank you, > > Eric >
