In message <20021204041140.8C72953E7F@thoreau.thistledown.com.au>, Simon Burge 
writes:
>Steve Bellovin wrote:
>
>> Why is /sbin/shutdown setuid root on 1.6 and -current?  (I haven't checked
>> any other versions.)  The code ensures that it's running as root, which 
>> is reasonable -- but if it's setuid, it always will be.
>> 
>> (I agree that on single-user machines, it's a reasonable thing to do.  
>> But the owner can do that on a per-machine basis.)
>
>It's also only executable by group operator:
>
>	-r-sr-xr--  1 root  operator  270144 Aug  4 01:14 /sbin/shutdown*
>
>so operator folk can reboot the computer.
>

Tnx -- I looked explicitly at that, and missed it.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)