Short_Circut is correct.
I would make a different recommendation from all the rest who have
mentioned chattr +/-i to you:
Make some reasonable groups for your setuid/setgid binaries, do a chown
:group of the binaries depending on their category, and remove the world
exec bit. For example:
groupadd netcmd
for i in /bin/ping /usr/sbin/ping6 /usr/sbin/traceroute \
/usr/sbin/traceroute6; do
chmod o-rx $i
chown :netcmd $i
done
Then, make the only members of said groups the people who need to be
able to run those commands. Alternatively, you can simply chmod 700 them
and force people to use sudo to run them. A smart sudoers.conf should
allow you to protect these binaries pretty well, and log all usage of
them, if you so desire.
--
Josh Glover <[EMAIL PROTECTED]>
Associate Systems Administrator
INCOGEN, Inc.
Short_Circut wrote:
>
> because the reason they are suid is because they need to have UID=0 (root)
> in order to do certain things. IE ping needs it to create the bind thingy.
> And sendmail needs it to write to the mail directory. And 'chsh', 'chfn'
> and 'passwd' need it to modify the passwd file. Some dont need it... Some
> do..
>
> :~Short_Circut~:
>
>
>>I am trying to delimit the number of programs that have SUID permission.
>>Following a friendly recommendation, I found the programs that have SUID by:
>>
>>find / -type f -perm -u+s -or -perm -g+s
>>
>>
>>I attempted to change SUID on some of the results, again following a suggestion:
>>
>>chmod -s file
>>
>>However, this command works sometimes, and sometimes only results in
>>a "permission denied, operation not permitted" message. For
>>instance, /usr/bin/cu and /usr/bin/rsh resulted in that error message,
>>but /usr/bin/lpr did work. Why the difference?
>>
>>Thank you,
>>
>>Eric
>>
>
>
