(tech removed from reply, don't cross-post) If you consistently log on to your system as root, then you probably don't need many SUID or SGID executables at all, since everything (interactive) will run with root privileges anyway.
But if you usually log on as an unprivileged user (as you should if you really care about security) then you will find that certain things don't work without SUID or SGID. Which is exactly why SUID or SGID are used. To use your wall / write example, try removing the SGID bit from those executables, then (as a regular user) try using them to see if they work. You should discover that an unprivileged user does not have the ability to write to other users' terminals, which prevents write from working. In order to be able to write to a terminal other than your own, you need additional privileges. root privileges would work, but that is much more than you need, which is why the 'tty' group exists. That group has just the rights that wall / write need, and not a lot else. If you are sure you will never need wall / write, you can remove the setgid bit from them, or even delete them entirely. If you aren't sure (e.g. are you certain that shutdown doesn't use wall to send shutdown notification messages to users?) then you should leave them alone. as a general rule, it is safe to assume that if OpenBSD installs programs with setuid or setgid bits set, then those programs need them to be that way. you are welcome to investigate each case individually, and if you discover that a specific program doesn't need to be setuid/setgid, or can be rewritten to work without them, then you are welcome to submit a patch making it so. -ken On Tue, Jan 6, 2015 at 2:27 AM, whoami toask <whoamito...@safe-mail.net> wrote: > Hello, > > isn't there too much SUID/SGID files on a default OpenBSD install? > > Can this number be reduced? > > Example: why does wall, write, modstat need an SGID? > > # uname -a > OpenBSD notebook.lan 5.6 GENERIC.MP#333 amd64 > # find / -perm -4000 -o -perm -2000 -ls -print > 78047 5856 -rwxr-sr-x 1 root auth 2970920 Aug 6 21:45 > /usr/X11R6/bin/xlock/usr/X11R6/bin/xlock > 78068 1216 -rwxr-sr-x 1 root utmp 592056 Aug 6 22:09 > /usr/X11R6/bin/xterm/usr/X11R6/bin/xterm > 1147497 60 -r-xr-sr-x 1 root kmem 30200 Jul 31 11:50 > /usr/local/bin/libgtop_server2/usr/local/bin/libgtop_server2 > 78031 32 -r-xr-sr-x 1 root utmp 15864 Jul 31 09:57 > /usr/local/libexec/gnome-pty-helper/usr/local/libexec/gnome-pty-helper > 155910 84 -r-xr-sr-x 4 root crontab 41752 Aug 8 08:06 > /usr/bin/at/usr/bin/at > 155910 84 -r-xr-sr-x 4 root crontab 41752 Aug 8 08:06 > /usr/bin/atq/usr/bin/atq > 155910 84 -r-xr-sr-x 4 root crontab 41752 Aug 8 08:06 > /usr/bin/atrm/usr/bin/atrm > 155910 84 -r-xr-sr-x 4 root crontab 41752 Aug 8 08:06 > /usr/bin/batch/usr/bin/batch > 155943 72 -r-xr-sr-x 1 root crontab 36504 Aug 8 08:06 > /usr/bin/crontab/usr/bin/crontab > 156014 24 -r-xr-sr-x 1 root auth 11672 Aug 8 08:06 > /usr/bin/lock/usr/bin/lock > 156019 60 -r-xr-sr-x 1 root daemon 28952 Aug 8 08:06 > /usr/bin/lpq/usr/bin/lpq > 156033 20 -r-xr-sr-x 1 root _lkm 8952 Aug 8 08:06 > /usr/bin/modstat/usr/bin/modstat > 156035 292 -r-xr-sr-x 1 root kmem 148216 Aug 8 08:06 > /usr/bin/netstat/usr/bin/netstat > 156093 24 -r-xr-sr-x 1 root auth 11544 Aug 8 08:06 > /usr/bin/skeyaudit/usr/bin/skeyaudit > 156094 16 -r-xr-sr-x 1 root auth 8184 Aug 8 08:06 > /usr/bin/skeyinfo/usr/bin/skeyinfo > 156095 44 -r-xr-sr-x 1 root auth 20632 Aug 8 08:06 > /usr/bin/skeyinit/usr/bin/skeyinit > 156105 704 -r-xr-sr-x 1 root _sshagnt 333656 Aug 8 08:07 > /usr/bin/ssh-agent/usr/bin/ssh-agent > 156112 284 -r-xr-sr-x 1 root kmem 144568 Aug 8 08:06 > /usr/bin/systat/usr/bin/systat > 156146 32 -r-xr-sr-x 1 root tty 15928 Aug 8 08:06 > /usr/bin/wall/usr/bin/wall > 156152 28 -r-xr-sr-x 1 root tty 13080 Aug 8 08:06 > /usr/bin/write/usr/bin/write > 103939 40 -r-xr-sr-x 4 root _token 20344 Aug 8 08:06 > /usr/libexec/auth/login_activ/usr/libexec/auth/login_activ > 103939 40 -r-xr-sr-x 4 root _token 20344 Aug 8 08:06 > /usr/libexec/auth/login_crypto/usr/libexec/auth/login_crypto > 103943 40 -r-xr-sr-x 1 root _radius 19928 Aug 8 08:06 > /usr/libexec/auth/login_radius/usr/libexec/auth/login_radius > 103945 24 -r-xr-sr-x 1 root auth 11608 Aug 8 08:06 > /usr/libexec/auth/login_skey/usr/libexec/auth/login_skey > 103939 40 -r-xr-sr-x 4 root _token 20344 Aug 8 08:06 > /usr/libexec/auth/login_snk/usr/libexec/auth/login_snk > 103939 40 -r-xr-sr-x 4 root _token 20344 Aug 8 08:06 > /usr/libexec/auth/login_token/usr/libexec/auth/login_token > 103947 40 -r-xr-sr-x 1 root auth 20408 Aug 8 08:06 > /usr/libexec/auth/login_yubikey/usr/libexec/auth/login_yubikey > 103987 1568 -r-xr-sr-x 1 root smmsp 783576 Aug 8 08:08 > /usr/libexec/sendmail/sendmail/usr/libexec/sendmail/sendmail > 52023 80 -r-xr-sr-x 1 root daemon 39736 Aug 8 08:06 > /usr/sbin/lpc/usr/sbin/lpc > 52024 160 -r-xr-s--- 1 root daemon 80952 Aug 8 08:06 > /usr/sbin/lpd/usr/sbin/lpd > 52073 52 -r-xr-sr-x 1 root kmem 24664 Aug 8 08:06 > /usr/sbin/pstat/usr/sbin/pstat > 519680 4 drwxrws--- 2 root wheel 512 Aug 8 08:05 > /var/audit/var/audit > # find / -perm -4000 -o -perm -2000 -ls -print | wc -l > 32 > > Thanks, > > have a secure day!
