Diff for "Security/Investigation/Setuid"

Setuid

Differences between revisions 19 and 20

This is a list of setuid applications that need investigation. See the mailinglist post about this for more information.

Source Package	setuid Files	De-rooted	Capabilities	Changes Sent Upstream	Comments
libpam-foreground	/bin/check-foreground-console	no	no	n/a	Small secure wrapper to read /dev/console
cupsys	/usr/bin/lppasswd	no	n/a	n/a	Needs root to read /etc/cups/passwd.*
fping	/bin/fping	needed	n/a	no	Checks: if ( geteuid() ) {... exit(3); Will patch and send upstream -JeffSchroeder
util-linux	/bin/mount, /bin/umount	needed	no	n/a	Checks: if (getuid () != geteuid ()). Should check for CAP_SYS_ADMIN capability
exim4	/usr/sbin/exim4	configurable	possible	n/a	*lines 1581-1582 src/exim.c
shadow	/bin/su, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd	UNKNOWN	UNKNOWN	UNKNOWN	Needs a review
sudo	/usr/bin/sudo, /usr/bin/sudoedit	UNKNOWN	UNKNOWN	UNKNOWN	Needs a review
iputils	/bin/ping, /bin/ping6, /bin/arping, /usr/bin/traceroute6.iputils	yes	possible	UNKNOWN	line 129 ping.c, line 217 ping6.c, line 314 arping.c, line 343 traceroute6.c
mtr	/usr/bin/mtr	yes	possible	n/a	*line 333 mtr.c
glibc	/usr/lib/pt_chown	yes	possible	n/a	*line 147glibc-2.6.1/login/programs/pt_chown.c
cdrtools	/usr/bin/cdrecord	yes	possible	n/a	*line 1120 cdrecord/cdrecord.c
eject	/usr/lib/eject/dmcrypt-get-device	yes	possible	n/a	*lines 60-61 dmcrypt-get-device.c
openssh-client	/usr/lib/openssh/ssh-keysign	yes	tricky	n/a	*line 176 permanently_set_uid() function ssh-keysign.c

* - Where in the software the privileges are dropped using the setuid() / setgid() or setreuid() / setresgid() system calls.

Security/Investigation/Setuid (last edited 2013-07-23 07:07:01 by 74)

-  ⇤ ← Revision 19 as of 2008-08-06 16:41:21 → 
  Size: 2053
  Editor: localhost
  Comment: converted to 1.6 markup
+   ← Revision 20 as of 2010-04-26 21:37:40 → ⇥
  Size: 2220
  Editor: c-76-105-168-175
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 2:
+See also the [[http://bazaar.launchpad.net/%7Eubuntu-bugcontrol/qa-regression-testing/master/annotate/head%3A/install/README.files_explained|install audit notes]].