GEN002440 - The owner, group, mode, ACL, and location of files with the setgid bit set must be documented using site-defined procedures


All files with the setgid bit set will allow anyone running these files to be temporarily assigned the GID of the file. While many system files depend on these attributes for proper operation, security problems can result if setgid is assigned to programs that allow reading and writing of files, or shell escapes.


All files with the sgid bit set will be documented in the system baseline and authorized by the Information Systems Security Officer. Locate all sgid files with the following command:

#find / -perm -2000 -exec ls -lL {} ;
# find / -perm -2000 -exec aclget {} ;

Ensure sgid files are part of the operating system software, documented application software, documented utility software, or documented locally developed software. Ensure none are text files or shell programs.

See Also

Item Details


References: 800-53|CM-6c., CAT|II, CCI|CCI-000368, Group-ID|V-802, Rule-ID|SV-38945r1_rule, STIG-ID|GEN002440, Vuln-ID|V-802

Plugin: Unix

Control ID: 81e949f4bbde94900928de192841869abccd897a8d1a62af0e662e3db9e3accd