To run a secure computer, you must know of every SUID and SGID file on the system and be sure that each file has the proper permissions for which it was designed.
Unfortunately, there is a huge amount of variation among UNIX vendors in the use of SUID and SGID. Some manufacturers use SUID root for all privilege-requiring programs, while some create special groups for controlling terminals (group tty), or disks (group operator), or memory (group kmem). Some vendors use a variety of approaches. Most change their approaches to SUID and SGID from software release to software release. As a result, any attempt to list SUID and SGID files on a system that is not constrained to a particular release is likely to be incomplete.
You may also receive SUID or SGID files as part of third-party software that you may purchase or download from the net. Many of these third-party programs require SUID root permission because they modify devices or do things on behalf of users. If you choose to use these programs, you should seek assurance from the vendor that superuser privileges are confined to the smallest possible region of the program, and that, in general, rules such as those contained in Chapter 23, Writing Secure SUID and Network Programs, have been followed in coding the software. You may also wish to obtain written representations from the vendor that the security of the computer system will not be compromised as a result of SUID/SGID programs, and that, in the event that the system is compromised, the vendor will pay for damages.
This section contains a list of the SUID and SGID files found in Solaris 2.4, which is representative of System V Release 4 systems in general. Rather than simply presenting a complete list of files, we have annotated the reason that SUID or SGID permissions are set. Our goal is to teach you how to recognize the SUID/SGID files on your system, and make your own decision as to whether the privilege is justified, or whether some lesser privilege would suffice.
You can generate your own list of SUID files by using the command:
# find / -type f -perm -04000 -ls
You can generate a list of SGID files by using the command:
# find / -type f -perm -02000 -ls
-r-sr-xr-x 1 root sys 610480 Aug 3 1994 /sbin/su -r-sr-xr-x 1 root bin 559968 Aug 3 1994 /sbin/sulogin -r-sr-xr-x 1 root sys 15156 Jul 16 1994 /usr/bin/su
The su command is SUID root so it can alter the process's effective UID. We don't understand why sulogin needs to be SUID root, because it is only run when the system boots in single-user mode (and, presumably, it is already running as root). The /sbin/su program is statically linked, which is why it is so much larger than /usr/bin/su, which uses shared libraries.
-rwsr-xr-x 1 root sys 32144 Jul 15 1994 /usr/bin/at -rwsr-xr-x 1 root sys 12128 Jul 15 1994 /usr/bin/atq -rwsr-xr-x 1 root sys 10712 Jul 15 1994 /usr/bin/atrm
The at commands are SUID root because they run commands for all user IDs, and need root permissions to set the user and group permissions of jobs. Additionally, the directory where these jobs are stored is protected to prevent snooping and tampering with the files, and root permissions are used to enforce these protections.
-r-sr-xr-x 1 root sys 29976 Jul 16 1994 /usr/bin/chkey
The chkey command is SUID root because it accesses the /etc/publickey database.
-r-sr-xr-x 1 root bin 14600 Jul 15 1994 /usr/bin/cron
The cron program is SUID root so that it can alter files in the /var/spool/cron directory. As with the at commands above, it also runs jobs under different user IDs and needs root privileges to do so.
-r-sr-xr-x 1 root bin 9880 Jul 16 1994 /usr/bin/eject -r-sr-xr-x 1 root bin 22872 Jul 16 1994 /usr/bin/fdformat -r-sr-xr-x 1 root bin 4872 Jul 16 1994 /usr/bin/volcheck
These programs are SUID root because they directly manipulate the floppy disk device.
-r-sr-xr-x 1 root bin 27260 Jul 16 1994 /usr/bin/login
login must be SUID root so that one user can use login to log in as another user without first logging out. If login were not SUID root, it could not change its real and effective UID to be that of another user. If the program is not SUID, then users need to log out before logging in as another user - a minor inconvenience. Many site administrators prefer this behavior and remove the SUID permission on login as a result.
-rwsr-xr-x 1 root sys 9520 Jul 16 1994 /usr/bin/newgrp
newgrp is SUID root because it must alter the process's effective and real group IDs (GIDS).
-r-sr-sr-x 1 root sys 11680 Jul 16 1994 /usr/bin/passwd
This program must be SUID root because it modifies the /etc/passwd or /etc/shadow files.
-r-sr-xr-x 1 root sys 17800 Jul 16 1994 /usr/bin/ps -r-sr-xr-x 1 root bin 12080 Jul 16 1994 /usr/sbin/whodo
These programs are SUID root because they need access to the computer's /dev/mem and /dev/kmem devices, and to access some accounting files. Perhaps a safer approach would be to have a kmem group and have needed files be SGID kmem.
-r-sr-xr-x 1 root bin 15608 Jul 15 1994 /usr/bin/rcp -r-sr-xr-x 1 root bin 60268 Jul 15 1994 /usr/bin/rdist -r-sr-xr-x 1 root bin 14536 Jul 15 1994 /usr/bin/rlogin -r-sr-xr-x 1 root bin 7920 Jul 15 1994 /usr/bin/rsh -rwsr-xr-x 1 root other 7728 Jul 16 1994 /usr/bin/yppasswd -r-sr-x--x 1 root bin 134832 Jul 16 1994 /usr/lib/sendmail -r-sr-x--x 1 root bin 137552 Jul 16 1994 /usr/lib/sendmail.mx -r-sr-xr-x 1 root bin 17968 Jul 15 1994 /usr/sbin/ping -r-sr-xr-x 1 root bin 510532 Jul 15 1994 /usr/sbin/static/rcp
In general, these programs are all SUID root because they need to create TCP/IP connections on ports below 1024. The sendmail program also needs the ability to modify files stored in its working directories. The ping program needs to use raw IP.
-rws--x--x 1 uucp bin 55608 Jul 16 1994 /usr/bin/tip ---s--x--x 1 root uucp 68816 Jul 15 1994 /usr/bin/ct ---s--x--x 1 uucp uucp 81904 Jul 15 1994 /usr/bin/cu
These programs are SUID uucp so that they can access the dialer and modem devices.
-r-sr-xr-x 2 root bin 10888 Jul 16 1994 /usr/bin/uptime -r-sr-xr-x 2 root bin 10888 Jul 16 1994 /usr/bin/w
We can't figure out why these programs are SUID root, as they access files (/var/adm/utmp and /dev/kstat) that are world-readable. These are hard links which you can verify by using ls -li.
---s--x--x 1 uucp uucp 64240 Jul 15 1994 /usr/bin/uucp ---s--x--x 1 uucp uucp 21304 Jul 15 1994 /usr/bin/uuglist ---s--x--x 1 uucp uucp 17144 Jul 15 1994 /usr/bin/uuname ---s--x--x 1 uucp uucp 60952 Jul 15 1994 /usr/bin/uustat ---s--x--x 1 uucp uucp 68040 Jul 15 1994 /usr/bin/uux ---s--x--x 1 uucp uucp 4816 Jul 15 1994 /usr/lib/uucp/remote.unknown ---s--x--x 1 uucp uucp 169096 Jul 15 1994 /usr/lib/uucp/uucico ---s--x--x 1 uucp uucp 32016 Jul 15 1994 /usr/lib/uucp/uusched ---s--x--x 1 uucp uucp 81040 Jul 15 1994 /usr/lib/uucp/uuxqt
These programs are SUID uucp because they need to access privileged UUCP directories and files.
-r-sr-xr-x 1 root bin 21496 Jul 16 1994 /usr/lib/exrecover
This file is SUID root so that it can access the directory in which editor recovery files are saved. As we have said in other places in the book, a more secure approach would be to have an account specifically created for accessing this directory, or to create user-owned subdirectories in a common save directory.
-r-sr-sr-x 1 root tty 151352 Jul 15 1994 /usr/lib/fs/ufs/ufsdump -r-sr-xr-x 1 root bin 605348 Jul 15 1994 /usr/lib/fs/ufs/ufsrestore
These files are SUID root so that users other than the superuser can make backups. In the Solaris version of these commands, any user who is in the sys group can dump the contents of the system's disks and restore them without having root access. (As a result, having sys access on this operating system means that you can effectively read any file on the computer by using a combination of ufsdump and ufsrestore.) Note: the fact that users in the sys group can dump and undump tapes is not documented in the man page. Other programs may give undocumented privileges to users who happen to be in particular groups.
-rwsr-xr-x 1 root adm 4008 Jul 15 1994 /usr/lib/acct/accton
There must be some reason that this program is SUID root. But, once again, we can't figure it out, as the program gives the error "permission denied" when it is run by anybody other than the superuser.
-rwsr-xr-x 3 root bin 13944 Jul 16 1994 /usr/sbin/allocate -rwsr-xr-x 3 root bin 13944 Jul 16 1994 /usr/sbin/deallocate -rwsr-xr-x 3 root bin 13944 Jul 16 1994 /usr/sbin/list_devices
The allocate command allocates devices to users based on the Solaris allocation mechanism. For more information, refer to the Solaris documentation. We believe that the mkdevalloc and mkdevmaps commands are part of the same system, but they are not documented.
-rwsr-xr-x 1 root sys 21600 Jul 16 1994 /usr/sbin/sacadm
The sacadm is the top-level entry point into the Service Access Facility system.
-rwsrwxr-x 1 root bin 87808 Jun 24 1994 /usr/openwin/bin/xlock
We think that xlock needs to be SUID root so that it can read your password from the shadow file.
-r-sr-sr-x 1 root sys 20968 Jun 27 1995 /usr/dt/bin/dtaction -r-sr-xr-x 1 root bin 69172 Jun 27 1995 /usr/dt/bin/dtappgather -r-sr-xr-x 1 root bin 134600 Jun 27 1995 /usr/dt/bin/dtsession -r-sr-xr-x 1 root bin 373332 Jun 27 1995 /usr/dt/bin/dtprintinfo -r-sr-sr-x 1 root daemon 278060 Jun 27 1995 /usr/dt/bin/sdtcm_convert
These programs all appear to perform session management as part of the Common Desktop Environment 1.0. We don't know why dtaction needs to be SUID root.
The following programs are SUID and undocumented. This combination is dangerous, because there is no way to tell for sure what these programs are supposed to do, if they have their SUID/SGID bits properly set, or if they are even part of the standard operating system release.
---s--x--x 1 root bin 3116 Jul 16 1994 /usr/lib/pt_chmod -r-sr-xr-x 1 root bin 5848 Jul 16 1994 /usr/lib/utmp_update -rwsr-xr-x 1 root bin 8668 Jul 16 1994 /usr/sbin/mkdevalloc -rwsr-xr-x 1 root bin 9188 Jul 16 1994 /usr/sbin/mkdevmaps -r-sr-sr-x 1 root bin 14592 Jul 15 1994 /usr/openwin/bin/ff.core -rwsr-xr-x 1 root bin 19580 Jun 24 1994 /usr/openwin/lib/mkcookie -rwsr-sr-x 1 bin bin 8288 Jul 16 1994 /usr/vmsys/bin/chkperm -r-sr-xr-x 1 lp lp 203 Jul 18 1994 /etc/lp/alerts/printer
-rwxr-sr-x 1 root sys 147832 Jul 15 1994 /usr/kvm/crash -r-xr-sr-x 1 bin sys 31440 Jul 15 1994 /usr/bin/netstat -r-xr-sr-x 1 bin sys 11856 Jul 16 1994 /usr/bin/nfsstat -r-xr-sr-x 1 bin sys 11224 Jul 16 1994 /usr/bin/ipcs -r-xr-sr-x 1 root bin 6912 Jul 15 1994 /usr/sbin/arp -r-xr-sr-x 1 bin sys 6280 Jul 16 1994 /usr/sbin/fusage -r-xr-sr-x 1 root sys 15128 Jul 16 1994 /usr/sbin/prtconf -r-xr-sr-x 1 bin sys 7192 Jul 16 1994 /usr/sbin/swap -r-xr-sr-x 1 root sys 21416 Jul 16 1994 /usr/sbin/sysdef -r-xr-sr-x 1 bin sys 5520 Jul 15 1994 /usr/sbin/dmesg -rwxr-sr-x 1 root sys 12552 Jul 18 1994 /usr/openwin/bin/wsinfo -rwxrwsr-x 1 root sys 9272 Jul 18 1994 /usr/openwin/bin/xload
These programs examine and/or modify memory of the running system and use group permissions to read the necessary device files.
-r-xr-sr-x 1 bin sys 28696 Jul 16 1994 /usr/kvm/eeprom
The eeprom program allows you to view or modify the contents of the system's EEPROM. It should probably not be executable by non-root users.
-r-x--s--x 1 bin mail 65408 Jul 16 1994 /usr/bin/mail -r-x--s--x 1 bin mail 132888 Jul 16 1994 /usr/bin/mailx -r-xr-sr-x 1 root mail 449960 Jul 15 1994 /usr/openwin/bin/mailtool -r-xr-sr-x 1 bin mail 825220 Jun 27 1995 /usr/dt/bin/dtmail -r-xr-sr-x 1 bin mail 262708 Jun 27 1995 /usr/dt/bin/dtmailpr
The mail programs can be used to send mail or read mail in the /var/mail directory. We are not certain why these programs need to be SGID mail,; however, we suspect it involves lock management.
-r-sr-sr-x 1 root sys 20968 Jun 27 1995 /usr/dt/bin/dtaction
This is another part of the Common Desktop Environment system. We don't know why it is both SUID and SGID.
-r-sr-sr-x 1 root sys 11680 Jul 16 1994 /usr/bin/passwd
We do not know why this program needs to be both SUID root and SGID sys.
-r-xr-sr-x 1 bin tty 9984 Jul 16 1994 /usr/bin/write -r-sr-sr-x 1 root tty 151352 Jul 15 1994 /usr/lib/fs/ufs/ufsdump -r-xr-sr-x 1 bin tty 9296 Jul 16 1994 /usr/sbin/wall
These programs are SGID tty so that they can write on the devices of users.
-rwxr-sr-x 1 root root 650620 Jun 24 1994 /usr/openwin/bin/Xsun
Xsun is the X-Window server for the Sun. It is SGID so that it can access necessary device files.
-r-sr-sr-x 1 root daemon 278060 Jun 27 1995 /usr/dt/bin/sdtcm_convert
This program converts files from the Open Windows calendar data format version 3 to version 4. According to the documentation, sdtcm_convert must be run by the superuser or the owner of the calendar. Users can only run the program on their own calendars; the superuser can run the program on any calendar. Because the /var/spool/calendar directory is mode 3777, there should be no reason for this program to be SUID or SGID.
These files are not documented in the Solaris system documentation:
-r-sr-sr-x 1 root bin 14592 Jul 15 1994 /usr/openwin/bin/ff.core -rwsr-sr-x 1 bin bin 8288 Jul 16 1994 /usr/vmsys/bin/chkperm
This list of SUID and SGID files in Berkeley UNIX was derived by looking at computers made by Sun Microsystems, Digital Equipment Corporation, and NeXT Inc. The list of SUID and SGID files on your version of Berkeley UNIX is likely to be different. For this reason, we not only list which files are SUID and SGID, we also explain why they are SUID or SGID. After reading this list, you should be able to look at all of the SUID and SGID files on your system and figure out why your files have been set in particular ways. If you have a question about a file that is SUID or SGID, consult your documentation or contact your vendor.
-rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /usr/etc/ping
ping must be SUID root so that it can transmit ICMP ECHO requests on the raw IP port.
-r-s--x--x 1 root wheel 16384 Aug 18 1989 /usr/etc/timedc
The timedc (Time Daemon Control) program must be SUID root so that it can access the privileged time port.
-r-sr-x--x 3 root wheel 81920 Sep 7 1989 /usr/lib/sendmail -r-sr-x--x 3 root wheel 81920 Sep 7 1989 /usr/bin/newaliases -r-sr-x--x 3 root wheel 81920 Sep 7 1989 /usr/bin/mailq
These programs are all hard links to the same binary. The sendmail program must be SUID root because it listens on TCP/IP port 25, which is privileged.
-rwsr-xr-x 1 root wheel 16384 Aug 15 1989 /usr/lib/ex3.7recover -rwsr-xr-x 1 root wheel 16384 Aug 15 1989 /usr/lib/ex3.7preserve
These programs, part of the vi editor system, must be SUID root so they can read and write the backup files used by vi. (These are often SGID preserve.)
-rws--x--x 1 root wheel 40960 Nov 15 1989 /usr/lib/lpd -rws--s--x 1 root daemon 24576 Sep 6 1989 /usr/ucb/lpr -rws--s--x 1 root daemon 24576 Sep 6 1989 /usr/ucb/lpq -rws--s--x 1 root daemon 24576 Sep 6 1989 /usr/ucb/lprm
The line-printer daemon must be SUID root so it can listen on TCP/IP port 515, the printer port, and so can read and write files in the /usr/spool/lpd directory. Likewise, the line-printer user commands must be SUID so they can access spool files and the printer device.
-rwsr-xr-x 1 root wheel 24576 Aug 18 1989 /bin/ps -rwsr-xr-x 2 root wheel 57344 Aug 18 1989 /usr/ucb/w -rwsr-xr-x 2 root wheel 57344 Aug 18 1989 /usr/ucb/uptime -rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /usr/bin/iostat
These programs must be SUID root because they need to read the kernel's memory to generate the statistics that they print. On some systems, these programs are distributed SGID kmem, and /dev/kmem is made readable only by this group. This second approach is more secure than the first approach.
-rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /usr/ucb/quota
The quota command must be SUID root so that it can read the quota file.
-rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /usr/ucb/rcp -rwsr-x--x 1 root wheel 32768 Aug 18 1989 /usr/ucb/rdist -rwsr-xr-x 1 root wheel 16384 Aug 23 1989 /usr/ucb/rlogin -rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /usr/ucb/rsh -rwsr-sr-x 1 root tty 32768 Nov 11 17:17 /usr/etc/rdump
These programs must be SUID root because they use privileged ports to do username authentication.
-rwsr-xr-x 1 daemon wheel 16384 Aug 18 1989 /usr/bin/atq -rwsr-xr-x 1 daemon wheel 16384 Aug 18 1989 /usr/bin/at -rwsr-xr-x 1 daemon wheel 16384 Aug 18 1989 /usr/bin/atrm
These programs must be SUID because they access and modify spool files that are kept in privileged directories.
-rws--x--x 2 root daemon 205347 Sep 29 10:14 /usr/bin/tip -rws--x--x 2 root daemon 205347 Sep 29 10:14 /usr/bin/cu
tip and cu, which are both hard links to the same binary, must be SUID root so that they can have physical access to the modem device. On some systems, these files may be SUID UUCP.
-rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /bin/login
login must be SUID root so that one user can use login to log in as another user, without first logging out. If login were not SUID root, it could not change its real and effective UID to be that of another user.
-rwsr-xr-x 1 root wheel 16384 Aug 21 1989 /bin/mail
mail must be SUID root so that it can append messages to a user's mail file.
-rwsr-xr-x 1 root wheel 16384 Aug 18 1989 /bin/passwd -rwsr-xr-x 1 root system 28672 Feb 21 1990 /usr/ucb/chsh -rwsr-xr-x 1 root system 28672 Feb 21 1990 /usr/ucb/chfn
These programs must be SUID root because they modify the /etc/passwd file.
-rwsr-xr-x 1 root wheel 16384 Sep 3 1989 /bin/su
su must be SUID root so it can change its process's effective UID to that of another user.
--s--s--x 1 uucp daemon 24576 Sep 3 1989 /usr/bin/uucp --s--s--x 1 uucp daemon 24576 Sep 3 1989 /usr/bin/uux --s--s--x 1 uucp daemon 16384 Sep 3 1989 /usr/bin/uulog --s--s--x 1 uucp daemon 16384 Sep 3 1989 /usr/bin/uuname --s--s--x 1 uucp daemon 16384 Sep 3 1989 /usr/bin/uusnap --s--s--x 1 uucp daemon 24576 Sep 3 1989 /usr/bin/uupoll --s--s--x 1 uucp daemon 16384 Sep 3 1989 /usr/bin/uuq --s--s--x 2 uucp daemon 16384 Sep 3 1989 /usr/bin/uusend --s--s--x 2 uucp daemon 16384 Sep 3 1989 /usr/bin/ruusend --s--s--x 1 uucp daemon 90112 Sep 3 1989 /usr/lib/uucp/uucico --s--s--x 1 uucp daemon 24576 Sep 3 1989 /usr/lib/uucp/uuclean --s--s--- 1 uucp daemon 32768 Sep 3 1989 /usr/lib/uucp/uuxqt --s--x--x 1 uucp daemon 32768 Feb 21 1990 /usr/var/uucp/uumonitor --s--x--x 1 uucp daemon 86016 Feb 21 1990 /usr/var/uucp/uucompact --s--x--x 1 uucp daemon 77824 Feb 21 1990 /usr/var/uucp/uumkspool --s------ 1 uucp daemon 90112 Feb 21 1990 /usr/var/uucp/uurespool
These UUCP files are SUID uucp so they can access and modify the protected UUCP directories. Not all of these will be SUID in every system.
-rwsr-xr-x 1 root system 954120 Jun 8 03:58 /usr/bin/X11/xterm -rwsr-xr-x 1 root system 155648 Nov 16 1989 /usr/lib/X11/getcons
xterm is SUID because it needs to be able to change the ownership of the pty that it creates for the X terminal. getcons is SUID because it needs to be able to execute a privileged kernel call.
-rwxr-sr-x 1 root kmem 4772 Nov 11 17:07 /usr/etc/arp -rwxr-sr-x 1 root kmem 2456 Nov 11 17:14 /usr/etc/dmesg -rwxr-sr-x 1 root kmem 4276 Nov 11 17:35 /usr/etc/kgmon -rwxr-sr-x 1 root kmem 5188 Nov 11 18:16 /usr/etc/vmmprint -rwxr-sr-x 1 root kmem 3584 Nov 11 18:16 /usr/etc/vmoprint -rwxr-sr-x 1 root kmem 5520 Nov 11 20:38 /usr/etc/nfsstat -r-xr-sr-x 1 root kmem 32768 Oct 22 10:30 /usr/ucb/gprof -rwxr-sr-x 1 root kmem 40960 Nov 11 18:39 /usr/ucb/netstat -rwxr-sr-x 1 root kmem 24576 Nov 11 18:57 /usr/ucb/sysline -rwxr-sr-x 1 root kmem 76660 Jun 8 03:56 /usr/bin/X11/xload
These commands are SGID because they need to be able to access the kernel's memory.
-rwxr-sr-x 1 root tty 2756 Nov 11 17:05 /bin/wall -rwxr-sr-x 1 root tty 4272 Nov 11 17:06 /bin/write
These commands are SGID because they need to be able to access the raw terminal devices.
---s--s--x 1 uucp daemon 90112 Nov 11 20:25 /usr/lib/uucp/uucico ---s--s--x 1 uucp daemon 11136 Nov 11 20:25 /usr/lib/uucp/uuclean ---s--s--- 1 uucp daemon 32768 Nov 11 20:26 /usr/lib/uucp/uuxqt ---s--s--x 1 uucp daemon 24576 Nov 11 20:25 /usr/bin/uucp ---s--s--x 1 uucp daemon 24576 Nov 11 20:25 /usr/bin/uux ---s--s--x 1 uucp daemon 4620 Nov 11 20:25 /usr/bin/uulog ---s--s--x 1 uucp daemon 5776 Nov 11 20:25 /usr/bin/uuname ---s--s--x 1 uucp daemon 4260 Nov 11 20:26 /usr/bin/uusnap ---s--s--x 1 uucp daemon 24576 Nov 11 20:26 /usr/bin/uupoll ---s--s--x 1 uucp daemon 8716 Nov 11 20:26 /usr/bin/uuq ---s--s--x 2 uucp daemon 3548 Nov 11 20:26 /usr/bin/uusend ---s--s--x 2 uucp daemon 3548 Nov 11 20:26 /usr/bin/ruusend
These commands are all SGID because they need to be able to access UUCP spool files.
-rwx--s--x 1 root daemon 24576 Oct 27 18:39 /usr/etc/lpc -rws--s--x 1 root daemon 40960 Oct 27 18:39 /usr/lib/lpd -rws--s--x 1 root daemon 24576 Oct 27 18:39 /usr/ucb/lpr -rws--s--x 1 root daemon 24576 Oct 27 18:39 /usr/ucb/lpq -rws--s--x 1 root daemon 24576 Oct 27 18:39 /usr/ucb/lprm
These commands are all SGID because they need to be able to access the line-printer device and spool files.
-rwxr-sr-x 1 root operator 6700 Nov 11 16:53 /bin/df
This command is SGID because it needs access to the raw disk device (which is owned by the group operator on some versions of Berkeley UNIX).