Subject: 'shutdown' setuid?
To: None <firstname.lastname@example.org>
From: Steve Bellovin <email@example.com>
Date: 12/03/2002 23:05:08
Why is /sbin/shutdown setuid root on 1.6 and -current? (I haven't checked
any other versions.) The code ensures that it's running as root, which
is reasonable -- but if it's setuid, it always will be.
(I agree that on single-user machines, it's a reasonable thing to do.
But the owner can do that on a per-machine basis.)
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)