Hey, Remove the suid bit (chmod u-s) the following is true: (NN--not needed on servers, NW--not needed on workstations, YR -- your call. If no acronym then it is required. /usr/sbin/sendmail -- sending mail /usr/X11R6/bin/Xwrapper (NN) - you are using X and normal users will be using it as well. /usr/bin/crontab (NN)(NW)-- normal users can create cron entries /usr/bin/chage (YR)-- normal users can change their password aging feature. /usr/bin/gpasswd (YR)-- group users can change passwords /usr/bin/at (NN, NW) -- you are using this daemon to run scheduled tasks /usr/bin/gpg (YR) -- normal users can use encryption /usr/bin/suidperl(NN,NW) -- (I'm still not sure the purpose of this program) /usr/bin/sperl5.6.0 (NN,NW)-- (same as above) /usr/bin/passwd -- Required so normal users can change their password. /usr/bin/ssh -- required so normal users can initiate ssh connections /usr/bin/chfn (NN,NW) -- users can change their finger information /usr/bin/chsh (NN,NW) -- users can change their shell /usr/bin/newgrp (NN,NW)-- users can change to a new group. /usr/sbin/usernetctl (NN,NW)-- normal users change network interface information and bring them up or down /usr/sbin/traceroute (YR) -- normal users can perform traceroutes /usr/sbin/userhelper (YR depends on the above)-- gives users info on how to use features like chfn or chsh, etc. /bin/ping (NN) -- normal users can ping /bin/su (YR)-- normal users allowed to su in to root or other user accounts (provided the password is known) /bin/mount (NN)-- users can mount filesystems. /bin/umount (NN)-- users can unmount filesystems. /sbin/pwdb_chkpwd -- used to determine if the password typed is a strong password and not a dictionary word. /sbin/unix_chkpwd Regardless the ones that are okay are: passwd, unix_chkpwd, pwdb_chkpwd, sendmail, ssh, traceroute. This will depend on your setup however. Crap I am about late for work. I'll email back about sgids later unless someone else email first. Also, look up libsafe and install that. On Wed, 9 Jan 2002, BUNTER MATTHEW wrote: > --- Reçu de RVIDOI.BUNTERMA 04 72 96 57 77 09/01/02 09.37 > > All, > > Just joined yesterday so apologies if I am asking something that > has been covered recently. > > Trying to add a setuid/setgid section to a Linux security > standard. I would like some opinions as to which files can be left > with setuid and setgid and which should definitely NOT be left > setuid or setgid. > > I have been having a good crawl around the net for a while and can > find various links on how to identify and edit these types of > files but not which ones should be altered or left alone. I > already have the Solaris recommendations. > > This will have to cover both server and workstation > implementations. > > Thanks in advance, > > Matt > > ---- 09/01/02 09.37 ---- Envoyé à --------------------------- > -> SECURITY-DISCUSS(a)LINUXSECURITY.COM > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > -- duane -- GnuPG Public Key: http://sukkha.homeip.net/pgp.html -- Fun reading: 8-) http://linuxtoday.com/search.php3?author=Duane:Dunston ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
