[2392] in linux-security and linux-alert archive
[linux-security] Re: rh62 suid files
daemon@ATHENA.MIT.EDU (Martin Macok)
Fri Jul 28 06:49:02 2000
Date: Fri, 28 Jul 2000 12:04:36 +0200
From: Martin Macok <martin.macok@underground.cz>
To: linux-security@redhat.com
Message-ID: <20000728120436.C1352@localhost>
Mail-Followup-To: linux-security@redhat.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.21.0007281036560.5380-100000@server.office.globopolis.com>; from leos@staff.globopolis.com on Fri, Jul 28, 2000 at 10:47:34AM +0200
Resent-From: linux-security@redhat.com
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Jul 28, 2000 at 10:47:34AM +0200, Leos Bitto wrote:
> > Is /sbin/unix_chkpwd really used and what is it used for? I haven't find
> > anything about it in pam documentation.
>=20
> It allows PAM modules (after some sanity checks - use the source, Luke!)
> to access /etc/shadow without further need for uid=3D=3D0.
Anyway, it should be noted somewhere in pam docs. /sbin/pwdb_chkpwd is
meant there so /sbin/unix_chkpwd could be too.
I wonder there are root setuid binaries completely without documentation.
(I have to download sources from dialup/PPP :\ )
> > What is /usr/bin/sperl5.00503 (suidperl) being used for? Why this doesn=
't
> > have a manpage? Is it necessary?
>=20
> It is necessary for perl to be able to properly execute scripts with suid
> bit set. Again: if you don't need that, feel free to delete suidperl.
As somebody noted in private mail, man perlsec explains it clearly. I vote
for linking suidperl->sperl->perlsec manpage ...
(just an OLD HISTORY note for interested:
http://www.cert.org/advisories/CA-97.17.sperl.html)
> > According to glibc documentation /usr/libexec/pt_chown doesn't need to =
be
> > setuid nor is not used at all on RH6.2 (see /usr/doc/glibc-2.1.3/INSTAL=
L),
> > why does RH6.2 ships it setuid root?
>=20
> /usr/libexec/pt_chown is being used for example by my favorite xterm
> clone, gnome-terminal. Every xterm-alike apllication needs to chown your
> tty. I think that doing it via a small wrapper (pt_chown) is much better
> way than giving suid bit to that whole application.
The documentation I noted (/usr/doc/glibc-2.1.3/INSTALL) says:
=2E..
If you are using a 2.1 or newer Linux kernel with the `devptsfs' or
`devfs' filesystems providing pty slaves, you don't need this program;
otherwise you do.
=2E..
Red Hat 6.x ships with 2.2.x with devptsfs compiled in. AFAIK xterm and
friends (rxvt, xterm, gnome-terminal ...) doesn't need
/usr/libexec/pt_chown, works well without it and they doesn't need to
be root setuid ...
> > Have a nice day
>=20
> 2U2 :)
dtto. ;)
P.S. The world is so small ...
--=20
< Martin Ma=E8ok martin.macok@underground.cz <iso-8859-2>=
=20
\\. http://kocour.ms.mff.cuni.cz/~macok/ http://underground.cz/ .//
\\\.. .-=3D t.r.u.s.t n.0 o.n.e =3D-. ..///
--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5gVqz9uSLtLrzBfMRAi01AJ9Y88PNgi51vzhjtxbzytKSbdCL3QCgx+wk
xmC5e/yjWOcG+FMWSf+AQuQ=
=Q2ik
-----END PGP SIGNATURE-----
--8t9RHnE3ZwKMSgU+--
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
