[2391] in linux-security and linux-alert archive
[linux-security] Re: rh62 suid files
daemon@ATHENA.MIT.EDU (Leos Bitto)
Fri Jul 28 06:23:39 2000
Date: Fri, 28 Jul 2000 10:47:34 +0200 (CEST)
From: Leos Bitto <leos@staff.globopolis.com>
To: Martin Macok <martin.macok@underground.cz>
cc: linux-security@redhat.com
In-Reply-To: <20000727203848.B2882@localhost>
Message-ID: <Pine.LNX.4.21.0007281036560.5380-100000@server.office.globopolis.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-From: linux-security@redhat.com
On Thu, 27 Jul 2000, Martin Macok wrote:
> Hi,
> I believe having less root setuid binaries on system is The Way ...
> so:
>
> Why does RH6.2 ships with /sbin/dump & /sbin/restore root setuid? These
> are for sysadmins, not for regular users I hope.
Agreed. System backup should always be done only by root, all other ways
try miserably. Remember BRU?
> Is /sbin/unix_chkpwd really used and what is it used for? I haven't find
> anything about it in pam documentation.
It allows PAM modules (after some sanity checks - use the source, Luke!)
to access /etc/shadow without further need for uid==0.
> Is it really necessary to ship /usr/bin/gpasswd and /usr/bin/newgrp? Does
> anybody really use them on Linux? Maybe these should be extras ... (maybe
> they are needed by POSIX or something similar).
Feel free to delete them if you don't like them. But otherwise yes, there
are users who use them.
> What is /usr/bin/sperl5.00503 (suidperl) being used for? Why this doesn't
> have a manpage? Is it necessary?
It is necessary for perl to be able to properly execute scripts with suid
bit set. Again: if you don't need that, feel free to delete suidperl.
> According to glibc documentation /usr/libexec/pt_chown doesn't need to be
> setuid nor is not used at all on RH6.2 (see /usr/doc/glibc-2.1.3/INSTALL),
> why does RH6.2 ships it setuid root?
/usr/libexec/pt_chown is being used for example by my favorite xterm
clone, gnome-terminal. Every xterm-alike apllication needs to chown your
tty. I think that doing it via a small wrapper (pt_chown) is much better
way than giving suid bit to that whole application.
> Does /sbin/netreport need root setgid bit? I could not find it being used
> somewhere by regular users for any good reasons ...
I don't know what /sbin/netreport is being used for, but anyway: sgid root
is harmless. Which doesn't mean that it gid==0 whould be available for
free, of course.
> Have a nice day
2U2 :)
Leos Bitto
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
