Diff for "Security/Investigation/Setuid"

Setuid

Differences between revisions 11 and 12

This is a list of setuid applications that need investigation. See the [https://lists.ubuntu.com/archives/ubuntu-hardened/2007-October/000217.html mailinglist post] about this for more information.

Source Package Name	setuid Files	De-rooted	Capabilities	Changes Sent Upstream	Comments
iputils	/bin/ping, /bin/ping6, /bin/arping, /usr/bin/traceroute6.iputils	yes	possible	UNKNOWN	line 129 ping.c, line 217 ping6.c, line 314 arping.c, line 343 traceroute6.c
fping	/bin/fping	needed		no	Checks: if ( geteuid() ) {... exit(3); Will patch and send upstream -JeffSchroeder
mtr	/usr/bin/mtr	yes	possible	n/a	*line 333 mtr.c
util-linux	/bin/mount, /bin/umount	needed	no	n/a	Checks: if (getuid () != geteuid ()). Should check for CAP_SYS_ADMIN capability
glibc	/usr/lib/pt_chown	yes	possible	n/a	*line 147glibc-2.6.1/login/programs/pt_chown.c
cdrtools	/usr/bin/cdrecord	yes	possible	n/a	*line 1120 cdrecord/cdrecord.c
libpam-foreground	/bin/check-foreground-console	no	no	n/a	Small secure wrapper to read /dev/console
eject	/usr/lib/eject/dmcrypt-get-device	yes	possible	n/a	*lines 60-61 dmcrypt-get-device.c

* - Where in the software the privileges are dropped using the setuid() or setreuid() system calls.

Security/Investigation/Setuid (last edited 2013-07-23 07:07:01 by 74)

-  ⇤ ← Revision 11 as of 2007-10-31 21:57:02 → 
  Size: 1365
  Editor: office4
  Comment: Added check-foreground-console
+   ← Revision 12 as of 2007-10-31 22:04:25 → ⇥
  Size: 1441
  Editor: office4
  Comment: added dmcrypt-get-device
-Deletions are marked like this.
+Additions are marked like this.
 Line 6:
-|| mtr || /usr/bin/mtr || yes || possible || n/a || *line 333 in mtr.c ||
+|| mtr || /usr/bin/mtr || yes || possible || n/a || *line 333 mtr.c ||
 Line 8:
-|| glibc || /usr/lib/pt_chown || yes || possible || n/a || *line 147 in glibc-2.6.1/login/programs/pt_chown.c||
|| cdrtools || /usr/bin/cdrecord || yes || possible || n/a || *line 1120 in cdrecord/cdrecord.c ||
|| libpam-foreground || /bin/check-foreground-console || no || no || n/a || Tiny wrapper to read /dev/console. No real security gain to deroot. ||
+|| glibc || /usr/lib/pt_chown || yes || possible || n/a || *line 147glibc-2.6.1/login/programs/pt_chown.c||
|| cdrtools || /usr/bin/cdrecord || yes || possible || n/a || *line 1120 cdrecord/cdrecord.c ||
|| libpam-foreground || /bin/check-foreground-console || no || no || n/a || Small secure wrapper to read /dev/console||
|| eject || /usr/lib/eject/dmcrypt-get-device || yes || possible || n/a || *lines 60-61 dmcrypt-get-device.c ||