On Thu Oct 28 1999 at 19:13, " " wrote:
[for readability, you should format your messages to line-break
around columns 65-70]
> I recently scanned my system for programs owned by root that have
> the suid bit set, and found not one but about 200 such programs.
> Can this possibly be justified?
For most of them, yes. Be very careful...
> Could there be a problem if I just run a script that removes the
> suid bit from all of them? What script would I use for that anyway?
Do so at your own peril... you'll break everything so badly that
you'll end up being forced to do a full re-installation of your entire
system. (Good way to get an unscheduled upgrade at the same time :)
Believe me... been there, done that. (Well, in a fashion... I once
accidently ran a recursive chmod over the wrong directory tree, man
what a disasterous mess I had to clean up after that). There are some
things that absolutely have to be suid root (eg, mount).
Most security problems with most root-suid programs are now moot...
the way the should act is to only actually change to uid=0 when they
need to whatever they are doing, then give up such privileges
immediately they are no longer needed. Programs that give access to
hardware are good examples of this sort of thing.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
