"Karl J. Runge" wrote:
> /bin/login needs to be able to change to the userid who is logging in
> (e.g. via something like setuid(2)). In some cases /bin/login is run
> by an unprivileged process.
Is there a semi-canonical list of the things that must run setuid on a
Linux system, and why? This would help from an auditing perspective.
FWIW, here's a list of setuid programs from an old RH 5.2 system:
# find / -perm +04000 -exec ls -l {} \;
-rws--x--x 1 root root 4272 Oct 10 1998 /usr/X11R6/bin/Xwrapper
-rws--x--x 1 root root 147028 Oct 10 1998 /usr/X11R6/bin/xterm
-rws--x--x 1 root root 127668 Aug 3 1998 /usr/X11R6/bin/nxterm
-rwsr-xr-x 1 root root 30424 Sep 10 1998 /usr/bin/at
-rwsr-xr-x 1 root root 29928 Aug 21 1998 /usr/bin/chage
-rwsr-xr-x 1 root root 29240 Aug 21 1998 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 770132 Oct 11 1998 /usr/bin/dos
-r-sr-sr-x 1 root root 13876 Oct 2 1998 /usr/bin/lpq
-r-sr-sr-x 1 root root 15068 Oct 2 1998 /usr/bin/lpr
-r-sr-sr-x 1 root root 14732 Oct 2 1998 /usr/bin/lprm
-r-sr-xr-x 1 root bin 15613 Apr 27 1998 /usr/bin/passwd
-rws--x--x 2 root root 464140 Sep 10 1998 /usr/bin/suidperl
-rws--x--x 2 root root 464140 Sep 10 1998 /usr/bin/sperl5.00404
-rwsr-sr-x 1 root mail 54412 Aug 16 1998 /usr/bin/procmail
-rwsr-xr-x 1 root root 13876 Sep 11 1998 /usr/bin/rcp
-rwsr-xr-x 1 root root 10352 Sep 11 1998 /usr/bin/rlogin
-rwsr-xr-x 1 root root 7044 Sep 11 1998 /usr/bin/rsh
-rws--x--x 1 root root 10308 Oct 14 1998 /usr/bin/chfn
-rws--x--x 1 root root 9724 Oct 14 1998 /usr/bin/chsh
-rws--x--x 1 root root 4044 Oct 14 1998 /usr/bin/newgrp
-r-sr-sr-x 1 uucp uucp 121300 Sep 10 1998 /usr/bin/cu
-r-sr-xr-x 1 uucp uucp 84860 Sep 10 1998 /usr/bin/uucp
-r-sr-sr-x 1 uucp uucp 35524 Sep 10 1998 /usr/bin/uuname
-r-sr-xr-x 1 uucp uucp 93892 Sep 10 1998 /usr/bin/uustat
-r-sr-xr-x 1 uucp uucp 86912 Sep 10 1998 /usr/bin/uux
-rwsr-xr-x 1 root root 20200 Jun 12 1998 /usr/bin/crontab
-rwsr-xr-x 1 root news 5491 Sep 10 1998
/usr/lib/news/bin/startinnfeed
-rws--x--x 1 root root 589718 Jul 20 1999 /usr/local/bin/ssh1
-rwsr-xr-x 1 root root 5188 Oct 15 1998 /usr/sbin/usernetctl
-rwsr-x--- 1 root news 6076 Sep 10 1998 /usr/sbin/inndstart
-rwsr-xr-x 1 root bin 19212 Aug 7 1998 /usr/sbin/traceroute
-rwsr-xr-x 1 root root 8808 Oct 12 1998 /usr/sbin/userhelper
-r-sr-sr-x 1 uucp uucp 214068 Sep 10 1998 /usr/sbin/uucico
-r-sr-sr-x 1 uucp uucp 95612 Sep 10 1998 /usr/sbin/uuxqt
-rwsr-xr-x 1 root root 12648 Aug 5 1998 /bin/su
-rwsr-xr-x 1 root root 37672 Oct 6 1998 /bin/mount
-rwsr-xr-x 1 root root 19116 Oct 6 1998 /bin/umount
-rwsr-xr-x 1 root root 14116 Jun 17 1998 /bin/ping
-rws--x--x 1 root root 15284 Oct 14 1998 /bin/login
-rwsr-xr-x 1 root root 9864 Oct 13 1998 /sbin/cardctl
-r-sr-xr-x 1 root root 28258 May 23 1998 /sbin/pwdb_chkpwd
#
This is a lot of programs, and there are some I was surprised to see
(like xterm).
-- Jerry Callen Mobile: 617-388-3990
Narsil FAX: 617-876-5331
63 Orchard Street email: [EMAIL PROTECTED]
Cambridge, MA 02140-1328
PGP public keys available from http://pgp.ai.mit.edu
fingerprints:
DH/DSS key ID 0x1806252C: 7669 A4CD 759A 6EB7 AF04
C10D B659 2A4B 1806 252C
RSA key ID 0x99F7AAE5: D265 DC9C 13FD 6110
30F5 1874 A206 24B1
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************