perm -4000

sulekha

I have read that

To check for a possible Trojan horse, examine the filesystem periodically for files with setuid permission. The following command lists these files:
Listing setuid files $ sudo find / -perm -4000 -exec ls -lh {} \; 2> /dev/null

can any one explain,why the permission is given as 4000 in this command
AFAIK i haven't seen any files with premission 4000


jiliagre

You overlook the "-" preceeding 4000. That means the permissions need not to be exactly 04000 but only the bits set in 04000 need to be set too in the tested file.

04000 means precisely the setuid bit.

cariboo907

Permissions of 4000 just means to set user ID on execution. A better way to scan for rootkits is to install rkhunter. Rkhunter scans for rootkits daily and emails you the results.

Ex:

suppose i have a program named myprogram and i want to make it setuid root

chown root myprogram
chmod 4755 myprogram


and to make it setgid root

chown root myprogram
chmod 2755 myprogram


some common setuid programs are ping,mount,traceroute, su etc