On Sat, Feb 02, 2002 at 04:26:43PM +0000, xs@kittenz.org wrote:
> Hi!
> 
> Upon booting a cleanly installed NetBSD 1.5.2 box, there are a few things
> that seem strange. Notably the number of set uid and set gid binaries.
> (The other thing, I suppose, is that inetd is running apparently
> for no reason at all, until it is configured)

As it runs with no port open, it's not that much of a problem.

> 
> For example:
> 
> /bin/df is sgid operator - yet appears to operate fine without this.

This is so that you can run df on an unmounted filesystem

> /sbin/{r,}dump{,_lfs} are sgid tty - this again (to me) doesn't seem
> necessary.

This is for 'dump -n' to work.
> 
> other such binaries are: /sbin/ccdconfig,

/sbin/ccdconfig may have to read /dev/kmem by non-root users.

> /usr/sbin/pppd,

You don't have to be root to run pppd.

> /sbin/shutdown (this makes sense in some situations, I suppose, but anyone
> with gid operator could, fairly easily, obtain root through read access on
> /dev/[ws]d*),

Hum, read doesn't give you automatically root, and users in group operator
are supposed to be trusted.


> /usr/bin/login, /usr/sbin/sliplogin

I'm not sure for /usr/sbin/sliplogin, but /usr/bin/login needs to be root for
normal operation (it's valid to call it from non-root processes).

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
--