DerootificationStatus

The following programs/processes were already successfully "derooted", i. e. the process does not run as root any more, or got its suid root bit removed:

• klogd (patch sent to Debian BTS)

• syslogd (patch sent to Debian BTS)

• cupsd (patch sent to Debian BTS)

• hald (accepted in Debian, accepted upstream)

• ntpd (patch sent to Debian BTS)

• procmail (patch sent to Debian BTS)

• smbmount/smbumount (trivial packaging change, not really appropriate for Debian)
• jackd (Ubuntu patch effectively disables realtime feature by installing it non-suid)

• login (patch sent to Debian BTS, adopted in Debian)

• gpg/gnupg (patch sent to Debian BTS); completely non-suid in Ubuntu, kernel 2.6.8+ supports mlock() as user

• hpoj (patch sent to Debian BTS, accepted in Debian)

• at (patch sent to Debian BTS, accepted in Debian)

• dhcp3-server (patch sent to Debian BTS)

• unix_chkpwd (pam and nis patches sent to Debian BTS)

• hplip (accepted in Debian)

The following processes still appear to run with too many privileges by default and should be investigated:

• udevd
• power management daemons
• X
• arpwatch
• vsftpd

The following programs/processes were at one point "derooted" but now run as root:

• dhcp3-client (patch sent to Debian BTS )