Security Administration: SUID, lsof, ulimit, sudo

2026-05-30 Reading time: About 15 min Difficulty: Intermediate

What You Will Achieve

• Find dangerous files with SUID / SGID set using find
• Identify open files and network ports with lsof
• Check and stop processes using a file or filesystem with fuser
• Understand the difference between soft and hard limits and restrict resources with ulimit
• Configure sudo / sudoers safely with visudo
• Audit login activity with who / w / last

This is the core of LPIC-1 objective 110.1 "Perform security administration tasks". It systematically covers SUID file auditing (a hotbed for privilege escalation), ulimit to prevent resource-exhaustion, and sudo for least privilege.

Why Auditing SUID Files Matters

An executable with SUID set runs with the permissions of the file owner (often root), not the user running it. A vulnerability leads directly to privilege escalation, so periodic auditing is essential.

The leading - in -perm means "all the specified bits are set". -perm 4000 (no minus) means "permissions match exactly", and -perm /4000 means "any of the bits is set" — behaviors differ, so be careful.

Steps

Step 1: Find SUID / SGID files

find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
find / -perm -u=s -o -perm -g=s -type f 2>/dev/null

/usr/bin/passwd
/usr/bin/sudo
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh

-perm -4000 extracts files with SUID and -perm -2000 those with SGID. The symbolic forms -perm -u=s (SUID) and -perm -g=s (SGID) do the same. 2>/dev/null suppresses errors from directories you cannot read.

Step 2: Inspect open files and ports with lsof

lsof -i :22
lsof -p 1234
lsof -u alice

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd     812 root    3u  IPv4  18293      0t0  TCP *:ssh (LISTEN)

lsof -i :22 lists processes using port 22, -p PID lists files opened by a specific process, and -u user lists a user's open files. You can also filter by protocol or host such as -i TCP or -i @host.

Step 3: Identify and stop processes with fuser

fuser -v /var/log/syslog
fuser -m /mnt/data
fuser -k -m /mnt/data

                     USER        PID ACCESS COMMAND
/var/log/syslog:     root        812 F.... rsyslogd

fuser -v file shows processes that have the file open in a ps-like style. -m treats the argument as a mounted filesystem and targets all processes using files on that filesystem. -k sends SIGKILL to them. Use it to clear "device is busy" before unmounting.

Step 4: Check and set resource limits with ulimit

ulimit -a
ulimit -Sn
ulimit -Hn
ulimit -n 2048

open files                          (-n) 1024
max user processes                  (-u) 7860
...

ulimit -a lists all limits. -n is the number of files that can be open, -u is the number of user processes. -S is the soft limit (current value) and -H is the hard limit (ceiling). A regular user can change the soft limit up to the hard limit, but only root can raise the hard limit.

To make it persistent, edit /etc/security/limits.conf.

# /etc/security/limits.conf
# <domain> <type> <item> <value>
alice      soft    nofile  4096
alice      hard    nofile  8192
@developers hard   nproc   100

Specify soft / hard for type and items such as nofile (file count) or nproc (process count) for item. @groupname applies the limit per group.

Step 5: Configure sudo with visudo

visudo

# /etc/sudoers
alice       ALL=(ALL:ALL) ALL
%admin      ALL=(ALL) ALL
%developers ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

visudo is the dedicated command that edits /etc/sudoers with syntax checking. %groupname grants privileges to a group, and NOPASSWD: skips the password prompt. After editing, verify with sudo -l as the target user.

sudo -l

User alice may run the following commands on host:
    (ALL : ALL) ALL

su vs su -, and Login Auditing

The difference between su and su - is whether environment variables and the current directory are carried over. su user (no option) switches while keeping much of the original user's environment, whereas su - user (with the hyphen, same as su -l) starts a login shell and fully loads the target user's PATH, HOME, and initialization files. When switching to root for work, su - is safer and avoids running the wrong command due to a stale PATH.

Use the following commands to audit login activity.

last and lastlog are the basics for tracking suspicious logins. Combine with chage -l user to check password expiration and inventory dormant accounts.

chage -l alice

Last password change                : May 01, 2026
Password expires                    : Jul 30, 2026
Account expires                     : never

On the network side, nmap can scan a host's open ports (e.g. nmap localhost). Scanning hosts you do not own without permission may constitute unauthorized access, so use it only against authorized targets.

Common Mistakes and Fixes

• Breaking sudoers by editing it directly: Saving bad syntax with vi /etc/sudoers makes sudo completely unusable. Always use visudo. If broken, repair via pkexec or rescue mode.
• Confusing soft and hard limits: A regular user trying to raise ulimit -n beyond the hard limit gets Operation not permitted. Raising the hard limit requires root plus /etc/security/limits.conf.
• Underestimating SUID risk: Carelessly adding SUID to your own script creates a privilege-escalation hole. SUID on shell scripts is ignored in many environments, but vulnerabilities in dependent commands remain.
• Mixing up su and su -: Becoming root with plain su keeps the original environment, risking running an unintended command from PATH as root. Use su - for administrative work.
• Confusing find -perm 4000 with -perm -4000: Without the minus it means "exact match", so a real SUID file like rwsr-xr-x is not matched. The leading minus is required for auditing.

Troubleshooting

Symptom: "device is busy" when unmounting

Cause: A process still has a file open on that filesystem

Check:

fuser -vm /mnt/data
lsof +D /mnt/data

Fix: Identify the process and terminate it gracefully. Only as a last resort, force-kill with fuser -k -m /mnt/data, after confirming the targets.

Symptom: An app crashes with "Too many open files"

Cause: Open file count reached the soft limit (nofile)

Check:

ulimit -Sn
lsof -p PID | wc -l

Fix: Raise the soft limit for that shell with ulimit -n. For a persistent fix, add nofile to /etc/security/limits.conf and re-login to apply.

Symptom: sudo asks for a password every time, blocking automation

Cause: NOPASSWD: is not set for the target user/command

Check:

sudo -l

Fix: Use visudo to grant NOPASSWD: limited to specific commands. Avoid unconditional NOPASSWD on ALL for security; restrict it to the commands you need.

Completion Checklist

• [ ] Listed SUID files with find / -perm -4000 -type f
• [ ] Checked listening ports with lsof -i
• [ ] Confirmed you can identify processes in use with fuser -m
• [ ] Understood the soft vs hard limit difference with ulimit -a
• [ ] Confirmed the safe sudoers editing flow with visudo
• [ ] Confirmed login auditing with who / w / last

Summary

Security administration rests on two pillars: minimizing privilege and making anomalies visible. After mastering SUID auditing, least-privilege sudo, and ulimit resource protection, combine them with encryption and host hardening to complete your defenses.

Next Reading

• User and Group Administration
• Host Security Hardening
• Data Encryption