Zow Terry Brugger wrote:

>> on my own slackware 7.0 box i only have the following setuid or setgid
>> files
>
>
> <snip>
>
>> Xfree86:
>> i do use X
>
>
> Okay, this is one that I've wondered about for a while that perhaps someone
> could enlighten me on: if XFree86 (or Xwrapper on my Mandrake box here) is run
> as root by xdm or its descendants, why do users need to be able to execute it
> at all, much less have it be suid? I can see that need back in the days when
> one logged in via a terminal display & ran startx, but if we don't do that,
> does X really need to be suid 0?
>
> I'd try it myself to find out, but I have to get some real work done this
> afternoon. . .
>
> TIA,
> Terry

Slackware by default runs in runlevel 3. This means that users *do*
have to run startx. You can also configure {x|k|g}dm to run X as user,
so there will be cases where it does need suid.

Every box is different so what you really need is for the admin to
understand what does and doesn't need suid. When you get right down to
it, there are ways of entirely eliminating the beast using sudo and the
new capabilities functions in the kernel.

Capabilities are pretty sweet. They allow a binary to have certain
capabilities, like binding to port < 1024, raw network device usage or
chown without having root permissions. This means that BIND for example
will never need root if it has the CAP_NET_BIND_SERVICE capability set.
Login can have the CAP_SETUID capability set, etc.

For more information about this, see:

http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/capabilities.html

-b

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]