on Sat, Feb 02, 2002 at 07:01:08PM +0100, Manuel Bouyer wrote:
> > ... inetd ...
>
> As it runs with no port open, it's not that much of a problem.

Agreed. It just seemed odd to have it running by default at all.

> > /sbin/{r,}dump{,_lfs} are sgid tty - this again (to me) doesn't seem
> > necessary.
> 
> This is for 'dump -n' to work.

Which could be done by /usr/bin/write or wall I guess, but then it wouldn't
override mesg n (which dump -n appears to at the moment, if I read the
source for 1.5.2 correctly)

> > other such binaries are: /sbin/ccdconfig,
> 
> /sbin/ccdconfig may have to read /dev/kmem by non-root users.

Is sysctl (or a transfer method similar to sysctl) better suited to
transfering this kind of data? It only appears to want a small amount of
data, occasionally.

> > /usr/sbin/pppd,
> 
> You don't have to be root to run pppd.

afaik, you need to be root to set up any other kinds of network
(pseudo)devices by default. pppd is quite a complex and multipurpose
daemon.

> > /sbin/shutdown (this makes sense in some situations, I suppose, but anyone
> > with gid operator could, fairly easily, obtain root through read access on
> > /dev/[ws]d*),
> 
> Hum, read doesn't give you automatically root, and users in group operator
> are supposed to be trusted.

Well, if you run /bin/df, you get added to group operator temporarily,
so if there were some vulnerability in df or a library it was linked with...

Read can be enough to get root: kerberos keys, ssh keys (especially host keys
as they are unencrypted and allow you to perform a mitm attack undetected),
/etc/master.passwd, etc. Some methods are obviously easier than others.

> > /usr/bin/login, /usr/sbin/sliplogin
> 
> I'm not sure for /usr/sbin/sliplogin, but /usr/bin/login needs to be root for
> normal operation (it's valid to call it from non-root processes).

Surely a suid login does the same a /usr/bin/su?
/usr/sbin/sliplogin is suid root so it may be used as a users login shell,
I should read more manpages, and I suppose this is one reason why pppd
is suid by default too.

Something like:
-r-sr-xr--  1 root  remote  136916 Aug 18 03:30 /usr/sbin/pppd

would seem more logical to me if this is the case, but is using
pppd/sliplogin as a login shell common enough to make them suid by default?

Thanks