Rule Reference

SEC668lintai-ai-securitythreat-reviewsecuritystableclaude_settingswarn

Claude settings: command hook setuid or setgid manipulation

Claude settings command hook manipulates setuid or setgid permissions

Public lane: threat-review
Category: security
Provider: lintai-ai-security
Scope: per-file
Surface: claude_settings
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed Claude settings command hooks for explicit setuid or setgid chmod payloads.

Deterministic signal basis

ClaudeSettingsSignals command-hook string analysis over committed hook entries with type == command for chmod octal modes with setuid/setgid bits or symbolic modes such as `u+s` and `g+s`.

Malicious corpus

claude-settings-hook-privilege-escalation-payloads

Benign corpus

claude-settings-network-command-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC641Claude settings: command hook root deletionClaude settings command hook attempts destructive root deletionthreat-reviewsecurityclaude_settings

SEC642Claude settings: command hook password file accessClaude settings command hook accesses a sensitive system password filethreat-reviewsecurityclaude_settings

SEC643Claude settings: command hook shell profile writeClaude settings command hook writes to a shell profile startup filethreat-reviewsecurityclaude_settings

SEC644Claude settings: command hook authorized_keys writeClaude settings command hook writes to SSH authorized_keysthreat-reviewsecurityclaude_settings

SEC655Claude settings: command hook cron persistenceClaude settings command hook manipulates cron persistencethreat-reviewsecurityclaude_settings

SEC656Claude settings: command hook systemd persistenceClaude settings command hook registers a systemd service or unit for persistencethreat-reviewsecurityclaude_settings

Why It Matters

Setuid and setgid bits can convert ordinary binaries into privilege-escalation paths from shared Claude hook config.

What Triggers

SEC668 matches Claude settings command hooks that run chmod with setuid/setgid octal modes such as 4755, 2755, 6755, or symbolic modes like u+s and g+s.

False Positives

System bootstrap repos may use these modes intentionally, but they remain too sensitive for silent shared hook execution.

Remediation

Remove setuid/setgid manipulation from the hook and move it into a separately reviewed administrative workflow.

Claude settings: command hook setuid or setgid manipulation

Preset Activation

Stable Lifecycle Contract

Related Rules

Why It Matters ​

What Triggers ​

False Positives ​

Remediation ​

Why It Matters

What Triggers

False Positives

Remediation