On Wed, Oct 12, 2005 at 10:41:48AM -0400, Joe Barrett wrote: > While Rob is completely right, you may also want to check if `id -g` == > 0 as well. I'm not sure what purpose you're using the script for, but > sometimes an intruder may add themselves to the root group instead of > just giving themself the root account, to escape detection. And if no > other reason, you never know when someone's odd setup may involve a > non-root user in the root group.
[this conv is moving OT; sorry ;-)] You've lost me Joe. Group root doesn't have much privileges: it can't open arbitary files, bind low ports, etc... Why would an attacker add himself to group root instead of a uid=0 account? The only thing about group root is there might be programs that only people in group root can run and be setuid (i.e., perm 4750 or similar), and a quick check on my system (Fedora 3), such a thing doesn't exist. - Rob .
