[linux-security] Re: rh62 suid files

[Leos Bitto <leos staff globopolis com>]

On Thu, 27 Jul 2000, Martin Macok wrote:

> Hi,
> I believe having less root setuid binaries on system is The Way ...
> so:
> 
> Why does RH6.2 ships with /sbin/dump & /sbin/restore root setuid? These
> are for sysadmins, not for regular users I hope.

Agreed. System backup should always be done only by root, all other ways
try miserably. Remember BRU?

> Is /sbin/unix_chkpwd really used and what is it used for? I haven't find
> anything about it in pam documentation.

It allows PAM modules (after some sanity checks - use the source, Luke!)
to access /etc/shadow without further need for uid==0.

> Is it really necessary to ship /usr/bin/gpasswd and /usr/bin/newgrp? Does
> anybody really use them on Linux? Maybe these should be extras ... (maybe
> they are needed by POSIX or something similar).

Feel free to delete them if you don't like them. But otherwise yes, there
are users who use them.

> What is /usr/bin/sperl5.00503 (suidperl) being used for? Why this doesn't
> have a manpage? Is it necessary?

It is necessary for perl to be able to properly execute scripts with suid
bit set. Again: if you don't need that, feel free to delete suidperl.

> According to glibc documentation /usr/libexec/pt_chown doesn't need to be
> setuid nor is not used at all on RH6.2 (see /usr/doc/glibc-2.1.3/INSTALL),
> why does RH6.2 ships it setuid root?

/usr/libexec/pt_chown is being used for example by my favorite xterm
clone, gnome-terminal. Every xterm-alike apllication needs to chown your
tty. I think that doing it via a small wrapper (pt_chown) is much better
way than giving suid bit to that whole application.

> Does /sbin/netreport need root setgid bit? I could not find it being used
> somewhere by regular users for any good reasons ...

I don't know what /sbin/netreport is being used for, but anyway: sgid root
is harmless. Which doesn't mean that it gid==0 whould be available for
free, of course.

> Have a nice day

2U2 :)


Leos Bitto