Most UNIX/Linux installations have some groups (or users) whose members may be able to become root, for example: Group What Do bin /usr/bin create trojan disk /dev/hda raw write and create setuid root kmem /dev/kmem read root password shadow /etc/shadow crack root password staff /usr/local/bin create trojan tape /dev/st0 read confidential backup tape tty /dev/tty add keystrokes, run any code Often there are no users in these groups nor setgid binaries, so this may not matter; and in fact be useless, could be owned by root instead. Group staff is probably special in that administrators may add users to that group, thinking that this is a lesser privilege than root. Even in the absence of users in the group, it may be possible for attackers to "get" that group, via become-any-group-but-root bugs. Such bugs are quite common: when a group of machines share writable (e.g. user home) directories via NFS exported from somewhere with default root-squash, getting root on any one machine gives precisely that on all others of the group. There have been "genuine" such bugs also e.g. in sendmail. Please ensure that you are safe: review your use of root-equivalent groups, file ownerships, and NFS configurations. For some more discussion please see http://bugs.debian.org/299007 . Cheers, Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
