Upon booting a cleanly installed NetBSD 1.5.2 box, there are a few things
   that seem strange. Notably the number of set uid and set gid binaries.
   (The other thing, I suppose, is that inetd is running apparently
   for no reason at all, until it is configured)

did you also notice that there are quite a lot of non-setuid programs
as well?  :-)  it is strange that inetd runs when inetd.conf has no
entries... perhaps someone can fix that :-)
   
   /bin/df is sgid operator - yet appears to operate fine without this.

hmm, as this is only required for df of unmounted filessytems, i would
support removal of this setgid bit.

   /sbin/{r,}dump{,_lfs} are sgid tty - this again (to me) doesn't seem
   necessary.

using write(1) would mean that messages might not get through when they
have in the past.  as these programs are usually run by root or operator
anyway, both of which have major access to the system, i don't see this
as a real issue.
   
   other such binaries are: /sbin/ccdconfig, /usr/sbin/pppd,
   /sbin/shutdown (this makes sense in some situations, I suppose, but anyone
   with gid operator could, fairly easily, obtain root through read access on
   /dev/[ws]d*), /usr/bin/login, /usr/sbin/sliplogin

ccdconfig shouldn't be setgid IMO, but thorpej disagrees.  it's only
useful so that non-root can "ccdconfig -g" which i don't believe is
a necessary or useful thing to provide.  but you'll have to convince
jason otherwise i think :-)

pppd and sliplogin are login shells, they need to be setuid.  on a
"harded" (of sorts) system i run, only priv(8), su(8) and pppd(8)
are set-id.  (priv is like sudo.)

/usr/bin/login is set-id so that someone can type "login" at a shell
to replace their current session.  "login" to a shell really ends up
doing an "exec /usr/bin/login".  this is of dubious advantage and
can cause utmp-lossage (or used to on older unix :-)  i wouldn't miss
the setuid bit on /usr/bin/login.
   
   Obviously making a default configuration as generic as possible is a complex
   task, but some of these strike me as unnecessary in all to most
   configurations. Am I the only one who finds this the case? :)
   
   On one system I have /, /var and /usr slices. By removing the s[ug]id bit
   from the binaries above, plus some others (uucp, rsh/rlogin) allows 
   /var and / to be mounted nosuid.
   Not that anything was stopping it before but now there are no s[gu]ids that
   are likely to break.

of course this "likely to break" depends vastly on your environment :-)


.mrg.