From: Subject: Solaris 7 Setuid/Setgid files Date: Wed, 14 Nov 2001 08:37:03 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_002D_01C16CE7.88F6DED0"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_002D_01C16CE7.88F6DED0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: http://ist.uwaterloo.ca/security/howto/1999-04-21.html Solaris 7 Setuid/Setgid files

Security Review: Solaris 7 Setuid/Setgid Files
Information = Systems=20 and Technology
University of=20 Waterloo

1999/04/21-2001/05/04		 3D[IST]=20

Synopsis

As part of the effort to bring forward a Solaris 2.7 xhier master a = security review of that operating system is in order. This documents = one part=20 of that security review -- a review of all setuid/gid files found in = the=20 vendor distribution. The system examined was:=20 

[12:56pm sun570] uname -a
SunOS sun570 5.7 Generic sun4m sparc SUNW,SPARCstation-10
[12:56pm sun570] date
Mon Apr  5 12:56:11 EDT 1999

Security requirements will vary depending on the system -- the = security=20 requirements for a payroll system (or an xhier master) will usually be = considerably more rigorous than that of a personal workstation. The = major Unix=20 vendors often provide a system on the "open" end of the security = continuum --=20 a system that's adequate where security requirements are minimal. = Solaris 7 is=20 no exception. But any system can be "hardened" to make it more secure. = Our=20 intent is to recommend a middle ground hardening (between the "open" = system=20 and the "locked down" system) that should be adequate for = most=20 systems in our environment. Nevertheless, we note recommendations that = might=20 be appropriate for systems with other security requirements (eg. the = payroll=20 system vs. the desktop).=20

= A Bourne= =20 Shell script to implement the recommendations made here is = available=20 (suitable for systems at UW and perhaps elsewhere) -- it can be = edited to=20 implement your choices.

All setuid/gid programs are opportunities that might be = exploited by=20 users who have (or gain) access to the system -- a common trick is to = look for=20 shell escapes or to try to get the program to execute code on a stack = over=20 flow. The general security rule is to minimize the number of = setuid/gid=20 programs -- especially setuid(root) programs. Doing so will = help to=20 reduce the risk of compromise. Another rule is to know what you're = dealing=20 with and make your own risk analysis. This document attempts provide = some=20 information to readers so an informed choice can be made.=20

The list of setuid/setgid files found in the vendor distribution = was=20 calculated by scanning the file:=20

/var/sadm/install/contents
(as used by=20 pkgchk(1) and other tools) for all files where the protection = is=20 recorded as setuid/gid. This list is a point in time on one system, = other=20 systems might well have more or less setuid/gid tools depending the = vendor=20 packages installed (e.g. this machine has the UUCP package installed = -- we'd=20 not recommend that package).=20

At UW several xhier packages make an effort to manage these files = -- sunos5=20 being the most obvious, there are tricks in the os-extras too and no = doubt=20 others we're not aware of. We've tried to document current xhier = management=20 efforts but may have missed some. It's important first to understand = what the=20 vendor gives you before looking at what xhier does with that. =

Setuid/Setgid files found in Solaris 7

An annotated list of setuid/gid files as extracted from the = vendor=20 "contents" data base follows. A Bourne= Shell=20 script to implement these recommendations is available (suitable = for=20 systems at UW and perhaps elsewhere) -- it can easily be edited to = implement=20 your choices.=20
  1. /etc/lp/alerts/printer f none 4555 lp lp 203 15969 = 905483655=20 SUNWlpmsg
    setuid(lp) shell script that starts up a = 'ttsession' to=20 send a message (with sendMSg in same directory). There are = very=20 similar tools in the same directory but this is the only one = that's=20 setuid(lp) -- that seems strange but it's the same = configuration as=20 previous Solaris versions.=20

    Traditionally setuid shell scripts have been a security problem = on Unix=20 systems. Solaris will allow for setuid shell scripts so long = as they=20 aren't setuid(root). The traditional tricks for breaking = through a=20 setuid shell script seem to have been fixed on Solaris. = The worst=20 that could happen if you could subvert security with this script = would be=20 to get to the lp user. That would let one examine any print = jobs,=20 redirect them elsewhere, etc.=20

    History:=20
    We've never touched this one and we're not aware of any = exploits of=20 the System V print subsystem (but there have been exploits of = BSD=20 lpd). An xhier'd BSD lpd package is often = recommended. We=20 recently have seen security patches for different parts of the = lp=20 system (but still aren't aware of any exploits).=20

    Recommendation:=20
    Default -- try running without the setuid.=20

    You should think about using the vendor's printing system and = not=20 replace it with the xhier package.

  2. /usr/bin/admintool f none 4511 root sys 351872 35429 = 905483791=20 SUNWadmap
    setuid(root) but apparently only users in the=20 sysadmin group can use it. Important vendor tool for = managing the=20 system. Casual users have no business playing with this tool.=20

    History:=20
    Since 1996 we've done a "chmod 400" to make the tool = useless. There=20 was the exploit/advisory in 1996 but no doubt things have been = fixed.=20

    Recommendation:=20
    Default -- safest practice is to drop the setuid (but leave = it=20 executable). Tool is then only effective from an su (or=20 sudo) session and that's a minor inconvenience.=20

    Alternative (low risk) -- Leave setuid but restrict to the=20 sysadmin group and don't let others have any access.=20

  3. /usr/bin/at f none 4755 root sys 35916 40131 907659797 = SUNWcsu=20
    setuid(root) for users to manage vendor's "batch" = system -- the one time execution of a job by the cron = system. The=20 cron system must run as user root to change userid = to the=20 user who submits the job. Jobs could be spooled with a less = powerful rights (e.g. as user or group daemon) but that's = not how=20 the package is implemented.=20

    Seldom used by casual users. Often the default configuration is = to=20 restrict access, some sites allow everyone to submit jobs even = though very=20 few do. Some security consultants would recommend disabling all = user=20 access to the batch system(s) -- both cron and at.=20

    There's an xhier "batch" package that replaces the = vendor's=20 batch. It is clear that the xhier batch package = isn't=20 required on all systems -- I try to avoid it on systems I manage.=20

    See also the batch command (it's a shell wrapper into = the=20 at subsystem).=20

    History:=20
    We've never touched this one.=20

    Recommendation:=20
    Default -- leave it alone, modest risk.=20

    The files /usr/lib/cron/at.allow and = at.deny=20 are good mechanisms to control access to this part of = cron=20 system. The default Solaris configuration is to deny = access for=20 a few system accounts (like user "daemon" and = "smtp") who=20 don't need the subsystem and to let everyone else use it.=20

    Unless there are good reasons otherwise, you should restrict = access=20 (by the "deny" and "allow" files) to only those users who need = the=20 service. But you're still left with a setuid program that users = might=20 try to exploit.=20

    Alternative (safe but inconvenient) -- On many systems this = part of=20 the batch system is never used. On those systems removing the = setuid=20 would be possible with minimal disruption to the user community. = It=20 would also the safest strategy.

  4. /usr/bin/atq f none 4755 root sys 13996 54491 907659798 = SUNWcsu=20
    setuid(root) for users to examine batch queue.=20

    Same history/recommendations as with at interface to = batch=20 subsystem.

  5. /usr/bin/atrm f none 4755 root sys 12704 30947 907659798 = SUNWcsu=20
    setuid(root) for users to remove jobs from batch = queue.=20

    Same history/recommendations as with at interface to = batch=20 subsystem.

  6. /usr/bin/cancel f none 4511 root lp 10400 5194 904647847 = SUNWpcu=20
    setuid(root) for users to cancel print jobs in = the=20 vendor provided SysV printing system. Needs to be = setuid(root)=20 since the print daemon runs under the root user (to open = devices=20 and reserved ports, to read files spooled by users). Jobs = could be=20 spooled with a less powerful rights (e.g. as user or group = daemon)=20 but that's not how the package is implemented.=20

    See also cancel, lp, lpset, lpstat, lpmove.=20

    History:=20
    We've never touched this one and we're not aware of any = exploits of=20 the System V print subsystem (but there have been exploits of = BSD=20 lpd). An xhier'd BSD lpd package is often = recommended. We=20 recently have seen security patches for different parts of the = lp=20 system (but still aren't aware of any exploits).=20

    When the BSD package is installed it doesn't do anything with = the=20 default SysV printing commands. Isn't that confusing for users = who might=20 expect SysV printing tools?=20

    Recommendation:=20
    Default -- leave it alone, critical component for printing.=20

    You should think about using the vendor's printing system and = not=20 replace it with the xhier package.

  7. /usr/bin/chkey f none 4555 root sys 36684 62706 904647808 = SUNWnisu
    setuid(root) for users to manage the public key = pair=20 used in secure RPC. Pretty much a requirement of NIS+. Secure NFS = needs=20 host key pairs, but not user key pairs.=20

    History:=20
    We're not aware of anyone at UW using secure RPC, or NIS+ = and we're=20 not aware of any exploits.=20

    Recommendation:=20
    If you're not using secure RPC, NIS+, etc. then you can = safely drop=20 the setuid. Otherwise, you will need this setuid(root) = and should=20 therefore leave it alone.
  8. /usr/bin/crontab f none 4555 root bin 17044 44911 = 907659799=20 SUNWcsu
    setuid(root) for users to manage personal = cron=20 jobs. Seldom used by casual users and often the default=20 cron.allow/deny files are such that only a few users many = submit=20 cron jobs.=20

    History:=20
    We've never touched this.=20

    Recommendation:=20
    Default -- leave it alone, modest risk.=20

    The /usr/lib/cron/cron.allow and = cron.deny files=20 are good mechanisms to control access. Compare with the = controls on the at command. But you're still left with a = setuid=20 program that anyone can try to exploit.=20

    Alternative (safer but inconvenient) -- On many systems this = part of=20 the batch system is never used (or at least seldom used) by = anyone other=20 than the root user. On those systems removing the setuid = is safe.=20

  9. /usr/bin/ct f none 4111 root uucp 71156 809 904647967 = SUNWbnuu=20
    setuid(root) for managing dial in sessions on=20 /dev/tty lines allocated for UUCP dial outs. Dials a number = and=20 presents the person who answers with a login session. I can't = imagine a=20 use for this and the interaction with ttymon makes this = dodge-y at=20 best. UUCP is ancient networking technology. The assumption is the = user=20 uucp owns some of the /dev/tty devices that others = may=20 access when they're not being used by the UUCP system.=20

    History:=20
    Probably never used at UW -- it's a very esoteric tool.=20

    Recommendation:=20
    There's no need for any of the SUNWbnuu package unless you = support a=20 UUCP dialup connection. Default should be to not install the = SUNWbnuu=20 package (or if installed, it can safely be removed). The = uuencode=20 and uudecode commands, which some might want, are not = part of=20 that package.=20

    If the SUNWbnuu package is installed, this tool should have = the=20 setuid dropped. We cannot imagine any scenario where this tool = would be=20 required.

  10. /usr/bin/cu f none 4111 uucp uucp 84588 50154 904647981 = SUNWbnuu=20
    setuid(uucp) for users who want to use a modem = line to=20 call out to some other system. cf. Kermit -- implements similar = services=20 to transfer files (but without any error correction).=20

    History:=20
    This was useful when we had a lots of UUCP links. We would = guess=20 that it has not been used in a very long time.=20

    Recommendation:=20
    There's no need for any of the SUNWbnuu package unless you = support a=20 UUCP dialup connection. Default should be to not install the = SUNWbnuu=20 package (or if installed, it can safely be removed).=20

    If the SUNWbnuu package is installed, this tool should have = the=20 setuid dropped. If there's a need for a dial out service through = a=20 connected modem this might be left alone, however tip is = a more=20 mature tool that provides the same service. =

  11. /usr/bin/eject f none 4555 root bin 14352 57783 907660094 = SUNWcsu=20
    setuid(root) for users to manage removable = devices like=20 CD and floppy. Either ejects directly, or interacts with Volume = Manager.=20 See also volrmmount to eject removable media.=20

    History:=20
    There was at least one exploit. Current practice, from = sunos5=20 package, is to clear the setuid.=20

    Recommendation:=20
    Default -- Current practice is the safest, drop the setuid.=20

    Alternative (convenient but risky) -- On a personal = workstation with=20 a very few trusted users this might be safe to leave setuid.=20

  12. /usr/bin/fdformat f none 4555 root bin 28776 46616 = 907659682=20 SUNWcsu
    setuid(root) for users to format a floppy disk. = I'd be=20 concerned about nasty users re-formatting my floppy.=20

    History:=20
    From sunos5 package setuid cleared.=20

    Recommendation:=20
    Same recommendations as for /usr/bin/eject=20
  13. /usr/bin/login f none 4555 root bin 29292 53114 907659759 = SUNWcsu=20
    setuid(root) so anyone can login as another user=20 without doing the logout.=20

    History:=20
    On some systems the practice has been to drop the setuid -- = users=20 have to logout to re-login as another (or su to the other = identity). There have been exploits of login related to argv's = and=20 environment (especially shared libraries) but current versions = should be=20 safe. Nevertheless there's been a tradition to replace the=20 vendor-supplied login with an xhier version.=20

    Recommendation:=20
    We should use the vendor tool and not replace it. Especially = since=20 the vendor supports the PAM interface and other configuration = settings=20 -- password aging, password setting at first login and many = other=20 security settings.=20

    Default -- the safest practice would be to drop the=20 setuid(root). This presents a modest inconvenience to = some users=20 who might want to login to another account without logging off. = The=20 su command provides an alternative for them.=20

  14. /usr/bin/lp f none 4511 root lp 22524 62502 904647782 = SUNWpcu=20
    setuid(root) for users to submit print jobs in = vendor=20 provided SysV printing system. Needs to be setuid(root) as = entire=20 printing package runs under root.=20

    See also cancel, lp, lpset, lpstat, lpmove.=20

    History:=20
    See history of SysV /usr/bin/cancel.=20

    Recommendation:=20
    Default -- leave alone, pretty much a required tool, should = be safe=20 enough.=20

    You should think about using the vendor's printing system and = not=20 replace it with the xhier package.

  15. /usr/bin/lpset f none 4511 root lp 6920 8958 904647753 = SUNWpcu=20
    setuid(root) for manipulating printer = characteristics=20 within SysV printing subsystem. Program restricts access to=20 sysadmin group. Cf. admintool=20

    See also cancel, lp, lpset, lpstat, lpmove.=20

    History:=20
    See history of SysV /usr/bin/cancel.=20

    Recommendation:=20
    Default -- safest practice is to drop the setuid so that = printer=20 settings can only be changed from an su (or = sudo)=20 session -- a minor inconvenience. Casual users have no business = with=20 this tool.=20

    Alternative (safe and convenient) -- leave the setuid but = restrict to=20 the sysadmin group and don't let others have any access.=20

    You should think about using the vendor's printing system and = not=20 replace it with the xhier package.

  16. /usr/bin/lpstat f none 4511 root lp 20884 19683 904647828 = SUNWpcu=20
    setuid(root) to show status of all printers, = queues,=20 jobs in queues. Required tool for users to examine print queues. = Compare=20 with the traditional BSD lpq command. Quick tests on = Solaris 2.6=20 seem to indicate that the setuid is required to communicate with = remote=20 spoolers -- probably relies on reserved ports.=20

    On Solaris the traditional BSD lpq command is just a = link to=20 this command.=20

    See also cancel, lp, lpset, lpstat, lpmove.=20

    History:=20
    See history of SysV /usr/bin/cancel.=20

    Recommendation:=20
    Default -- leave alone, pretty much a required tool, should = be safe=20 enough.=20

    You should think about using the vendor's printing system and = not=20 replace it with the xhier package.

  17. /usr/bin/mail f none 2511 bin mail 66936 57521 907659763 = SUNWcsu=20
    setgid(mail) Traditional mail tool on SysV, = predates=20 the /usr/ucb/Mail command of BSD Unix. setgid(mail) = required=20 so users can create lock files in /var/mail (the spool = area) which,=20 on traditional SysV systems, is protected 775 -- = setgid(mail)=20 required to create/delete files. On traditional BSD systems=20 /var/mail (or /usr/spool/mail or etc) is protected = 1777 with=20 a sticky bit to prevent removals by any other than owner -- that's = the=20 practice on Solaris which still shows some BSD roots.=20

    On Solaris systems, as shipped, the setgid is not = require.=20 Leaving the setgid presents a modest risk.=20

    Since at least 2.5 Solaris has used /usr/lib/mail.local = as the=20 delivery tool run from sendmail to deliver mail. That tool = only=20 delivers mail and is fairly safe -- it's not setuid(root).=20

    History:=20
    A lot of tools expect a dumb old /usr/bin/mail. Users = can=20 find it confusing as /usr/ucb/mail is the better tool = they'd=20 usually want but we discourage the BSD tools. There's a UW = tradition of=20 front ending the search path with a BSD clone (a compiled local = version=20 rather than a link to the vendor tool!). On systems I manage I = put a=20 link to /usr/ucb/mail in /software/local*/bin -- = that=20 gives users a "smart" mail without importing more software into = the=20 system.=20

    Within xhier we've avoided the vendor mail delivery tools = (this and=20 mail.local) in favor of a locally maintained delivery = tool which=20 seems to have sendmail origins from some earlier version (it = looks like=20 the "binmail" tool). Current sendmail comes with a=20 mail.local tool -- seems to be what vendor has provided.=20

    Recommendation:=20
    Default -- drop the setgid, it shouldn't be required.=20

    Alternative (low risk) -- leave it alone. =

  18. /usr/bin/mailx f none 2511 bin mail 131756 57649 = 907660110=20 SUNWcsu
    setgid(mail) SysV implementation of BSD Mail -- a = better than /usr/bin/mail interface. On Solaris 2.7 the BSD = mail's=20 are links:=20 
    /usr/ucb/Mail=3D../bin/mail  s none SUNWscpu
/usr/ucb/mail=3D../bin/mailx s none =
SUNWscpu
    setgid(mail)=20 required so users can create lock files in /var/mail (the = spool=20 area) when /var/mail protected 775 (as on SysV).=20

    There's also a /var/mail/:saved directory manipulated by = mailx, it's mode 775 and group mail. I've never = understood=20 what it's for, but recall a problem if you drop the setgid.=20

    History:=20
    We've tried to have our users avoid this in favor of a local = xhier'd=20 version of UCB mail and/or tools like elm and = pine.=20

    There have been security problems (see the unresolved Bugtraq = 2001-05-02=20 vulnerability) and published exploits.=20

    Recommendation:=20
    Default -- drop the setgid, it shouldn't be required.=20

    Alternative (low risk) -- leave it alone. =

  19. /usr/bin/netstat f none 2555 bin sys 50712 65266 = 907660225=20 SUNWcsu
    setgid(sys) Peaks at kernel memory to get = information=20 about network status (routing, connection status and more). An = essential=20 tool for system administrators, helpful for some users but seldom = used by=20 casual users. Memory is readable by group 'sys' hence the setgid.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    We've never touched this.=20

    Recommendation:=20
    Default -- drop the setgid.
  20. /usr/bin/newgrp f none 4755 root sys 7736 25316 907659772 = SUNWcsu=20
    setuid(root) -- To allow a user to change their = primary=20 group -- you "login" to another group if you know the password for = the=20 group (it's stored in the /etc/group file not in=20 /etc/password). It's a fairly esoteric tool with SysV = roots. On=20 many systems the user carries with them a group list. On = traditional SysV=20 you have only one group and must newgrp to get access to other = groups.=20 Solaris is a strange mix of SysV and BSD Unix.=20

    We have verified that the setuid is required.=20

    History:=20
    We've never touched this.=20

    Recommendation:=20
    Default -- leave it alone, should be safe enough.=20

    Alternative (safe but inconvenient) -- if no one needs to = change=20 groups then drop the setuid.

  21. /usr/bin/passwd f none 6555 root sys 99640 6994 907659819 = SUNWcsu=20
    setuid(root)/setgid(sys) To allow a user = to=20 change password. Vendor version implements PAM and can manage = files=20 (/etc/passwd and /etc/shadow), NIS and NIS+ (by a=20 conversation with the server) and other authentication services = when=20 augmented with the correct PAM modules (eg. Kerberos).=20

    Vendor version includes some password complexity requirements = but only=20 the length is configurable.=20

    Strangely Solaris doesn't come with chfn and chsh = commands (on BSD systems those are linked to the passwd = command).=20 On Solaris only the root user can change a person's shell = and/or=20 full name using the passmgmt(1) tool. That comes from System V.=20

    History:=20
    We've encouraged a MFCF password suite and avoided NIS/NIS+. =

    Recommendation:=20
    Default (xhier) -- assuming continued support for MFCF = password=20 suite, the default should be to replace the vendor tool with the = MFCF=20 version.=20

    We have some concerns about PAM, NIS and NIS+ support in our = local=20 version. We'd rather that some effort was spent at getting = simple PAM=20 modules to do what we need (i.e. to enforce a password policy).=20

    Default (vendor) -- leave it alone, should be safe enough.=20

    Alternative (safe but inconvenient) -- at secure sites one = might drop=20 the setuid and not allow users to change their = passwords.=20 Password changes would be managed from an su session (cf. = name=20 and shell management) to prevent users from setting obvious = passwords=20 and to make sure they are regularly changed. =

  22. /usr/bin/rcp f none 4555 root bin 21368 49921 907660221 = SUNWcsu=20
    setuid(root) -- to copy files between systems. = Relies=20 on rsh trust management. Seldom required for casual users, = often=20 required by root to synchronize file systems. The = rcp client=20 uses the rcmd(3) library call to make a connection and copy = files=20 about -- that requires a root privileges to access a low = numbered=20 port. Used by some casual users, required by system managers.=20

    See also rsh, rcp, rdist and rlogin.=20

    History:=20
    Host based security can be compromised by forged IP = addresses.=20 Reserved port security fails on other than Unix systems. Users = create=20 .rhosts files that let anyone in -- system managers make = same=20 mistake with hosts.equiv.=20

    There is a tradition at UW to replace rsh, rcp and=20 rlogin with versions in the ucb-remote package. = That=20 needn't be the default -- the vendor tools work well enough.=20

    Recommendation:=20
    Default -- leave alone, should be ok. Too many users would = be=20 affected if this tool was removed/disabled.=20

    System managers ought to consider using scp (that's = part of=20 the SSH suite) --- it's a much better tool. It's not part of the = vendor=20 distribution but it is a tool well worth having (we have a = distribution=20 in xhier). The SSH suite uses strong cryptography to protect the = session=20 and to guarantee the identity of the peers. =

  23. /usr/bin/rdist f none 4555 root bin 56280 53623 907660226 = SUNWcsu=20
    setuid(root) To distribute files between systems = with=20 Distfile rules. The rdist client (on sending system) = uses=20 the rcmd(3) library call to start an instance of = rdist on=20 the receiving system (effectively the client does an "rsh = server rdist=20 -S"). Relies on rsh trust management. Seldom required = for=20 casual users, often required by root to synchronize file = systems.=20

    Vendor version (and xhier replacement) do not update = file=20 permissions when changed on the source system -- an irritating bug = in=20 both.=20

    See also rsh, rcp, rdist and rlogin.=20

    History:=20
    There's been exploits. We've replaced with a mfcf-basics = package=20 that includes a non-setuid version of rdist. That version = uses a=20 pipe to "rsh server rdist -S" (i.e. a stdin/stdout = connection to=20 the rsh process on the same machine). That strategy is = far safer=20 but I would hope the vendor's version has been fixed. However, = if your=20 system is an xhier client then the mfcf-basics package is = required.=20

    We are confident that the vendor's version has the historical = exploit=20 fixed but it's not a tool that many need to use.=20

    Host based security can be compromised by forged IP = addresses.=20 Reserved port security fails on other than Unix systems. Users = create=20 $HOME/.rhosts files that let anyone in -- system managers = make=20 same the mistake with the /etc/hosts.equiv file.=20

    We understand rdist is the underlying transport for = xhier.=20

    Recommendation:=20
    Default (xhier) -- the mfcf-basics package replaces = rdist=20 with a version that is quite safe.=20

    Default (vendor) -- if your system is not an xhier client = then=20 dropping the setuid on rdist would be prudent until such = time as=20 there's a demonstrated need for users other than root to = use this=20 tool.=20

    Alternative -- if there's users who need it leave it setuid = but=20 restrict access to a group (eg. sysadmin would be good if = only=20 system administrators used it).

  24. /usr/bin/rlogin f none 4555 root bin 16772 63838 = 907660221=20 SUNWcsu
    setuid(root) Unix remote login relying on trusted = hosts=20 managed from /etc/hosts.equiv and $HOME/.rhosts. = Makes a=20 connection from a reserved port (anyone under 1024) to port 513 on = server=20 and passes login name. To use of reserved port requires that you = be the=20 root user; hence the setuid(root). The corresponding = server=20 won't trust a client unless it uses a reserved port.=20

    See also rsh, rcp, rdist and rlogin.=20

    History:=20
    Host based security can be compromised by forged IP = addresses.=20 Reserved port security fails on other than Unix systems. Users = create=20 .rhosts files that let anyone in -- system managers make = same=20 mistake with hosts.equiv.=20

    There is a tradition at UW to replace rsh, rcp and=20 rlogin with versions in the ucb-remote package. = That=20 needn't be the default -- the vendor tools work well enough.=20

    Recommendation:=20
    Default -- Leave alone, should be ok. Too many users would = be=20 affected if this tool was removed/disabled.=20

    System managers ought to consider using ssh --- it's a = much=20 better tool. It's not part of the vendor distribution but it is = a tool=20 well worth having (we have a distribution in xhier). The SSH = suite uses=20 strong cryptography to protect the session and to guarantee the = identity=20 of the peers.

  25. /usr/bin/rsh f none 4555 root bin 9332 34264 907660222 = SUNWcsu=20
    setuid(root) Unix remote shell execution. Relies = on=20 trusted hosts managed from /etc/hosts.equiv and=20 $HOME/.rhosts. Uses rcmd(3) call to connect to port = 514 on=20 server and execute a command. Setuid(root) required so to = connect=20 from a reserved port on client.=20

    See also rsh, rcp, rdist and rlogin.=20

    History:=20
    Host based security can be compromised by forged IP = addresses.=20 Reserved port security fails on other than Unix systems. Users = create=20 .rhosts files that let anyone in -- system managers may = make the=20 same mistake with hosts.equiv.=20

    There is a tradition at UW to replace rsh, rcp and=20 rlogin with versions in the ucb-remote package. = That=20 needn't be the default -- the vendor tools work well enough.=20

    Recommendation:=20
    Default -- Leave alone, should be ok. Too many users would = be=20 affected if this tool was removed/disabled.=20

    System managers ought to consider using ssh --- it's a = much=20 better tool. It's not part of the vendor distribution but it is = a tool=20 well worth having (we have a distribution in xhier). The SSH = suite uses=20 strong cryptography to protect the session and to guarantee the = identity=20 of the peers.

  26. /usr/bin/sparcv7/ipcs f none 2555 bin sys 10968 56995 = 904647634=20 SUNWipc
    setgid(sys) Peeks into kernel tables to report = status=20 of Inter Process Communication facilities (messages, semaphores = and shared=20 memory). Seldom, if ever, required by the casual user. Seldom used = by=20 system managers -- but occasionally when things go awry.=20

    We understand that Universe application requires this tool.=20

    This is the real executable behind /usr/bin/ipcs which = is not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/bin/ipcs=3D../../usr/lib/isaexec l none =
SUNWipc
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    There have been security problems (see the unresolved Bugtraq = 2001-04-12=20 vulnerability) and published exploits.=20

    Recommendation:=20
    Default -- drop the setgid (but beware this may effect = Universe=20 applications).
  27. /usr/bin/sparcv7/ps f none 4555 root sys 27628 17723 = 907659891=20 SUNWcsu
    setuid(root) Peaks at kernel tables to display = process=20 stats.=20

    This is the real executable behind /usr/bin/ps which is = not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/bin/ps=3D../../usr/lib/isaexec l none =
SUNWcsu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    History:=20
    Programs accepting sensitive data as command line arguments = are=20 subject to snooping with this tool. The BSD version is = deprecated with=20 this version favored by vendor and by xhier default paths.=20

    Recommendation:=20
    Default -- safe enough, don't worry.
  28. /usr/bin/sparcv7/uptime f none 4555 root bin 11528 58064=20 907660046 SUNWcsu
    setuid(root) Reports how long the system has been = up=20 and run queue averages. Essential system diagnostic tool for all = uses. Our=20 experiments show it works fine without the setuid(root) (on = Solaris=20 2.7 and 2.6) -- there's no need for the setuid.=20

    This is the real executable behind /usr/bin/uptime which = is not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/bin/uptime=3D../../usr/lib/isaexec l none =
SUNWcsu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    History:=20
    We're not aware of any exploits or any UW history.=20

    Recommendation:=20
    Default -- drop the setuid, it seems to run fine.=20
  29. /usr/bin/su f none 4555 root sys 17976 7424 907659964 = SUNWcsu=20
    setuid(root) Used to substitute user id (or = become the=20 super user). Requires that you know the user's password. Essential = tool=20 for system administrators, seldom required by casual users. Often = used=20 with boot sequence to start up subsystems belonging to different = users.=20 setuid(root) required to change real user id.=20

    Supports PAM and can be configured to implement better = controls.=20

    History:=20
    At UW we've used suw (the authorized user has a = private=20 re-usable password) and ssuw (the authorized user has a = PIN and=20 SecurID fob to generate one-time passwords). Sites with multiple = system=20 administrators are not satisfied with vendor tool -- but it = could be=20 configured with PAM modules.=20

    Within IST we've left vendor version but kept root's = password=20 a strict secret (behind several locks and keys). Some sites use = the=20 vendor's tool and not the xhier replacements.=20

    Recommendation:=20
    Default -- Current practice is safe (leave it alone).=20
  30. /usr/bin/tip f none 4711 uucp bin 56140 23775 907660004 = SUNWcsu=20
    setuid(uucp) Terminal interface program, compare = with=20 cu. Seldom used these days.=20

    See the vulnerability at Bugtraq = 2001-03-27.=20

    Same recommendation/history as for the cu command.=20

  31. /usr/bin/uucp f none 4111 uucp uucp 68584 14633 904647825 = SUNWbnuu
    setuid(uucp) Unix to Unix copy command. Compare = -- Unix=20 to Unix execute (uux) is implemented by copying a bunch of = files.=20 Usually the UUCP network is restricted to E-mail only with perhaps = a bit=20 of UUCP file copies by system administrators.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    History:=20
    Required for optional UUCP dial-up networking.=20

    Recommendation:=20
    There's no need for any of the SUNWbnuu package unless you = support a=20 UUCP dialup connection. Default should be to not install the = SUNWbnuu=20 package (or if installed, it can safely be removed).=20

    Default, if installed, should be to drop setuid.=20

  32. /usr/bin/uuglist f none 4111 uucp uucp 23612 35653 = 904647838=20 SUNWbnuu
    setuid(uucp) Lists the Unix to Unix execute = command=20 grades. I don't believe this needs to be setuid -- it works fine = without.=20 The uux command will accept an urgency grade. But = uux is=20 usually restricted to only the rmail command. And UUCP is = not used=20 around here.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  33. /usr/bin/uuname f none 4111 uucp uucp 20504 14973 = 904647847=20 SUNWbnuu
    setuid(uucp) Unix to Unix networking. Display = names of=20 UUCP peers.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  34. /usr/bin/uustat f none 4111 uucp uucp 63336 62922 = 904647888=20 SUNWbnuu
    setuid(uucp) display status of uux command = queue.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  35. /usr/bin/uux f none 4111 uucp uucp 72016 20120 904647912 = SUNWbnuu=20
    setuid(uucp) Unix to Unix execute command. = Compare with=20 rsh. Setuid required to read and create files belonging to = user=20 uucp. Controlled by /etc/uucp/Permissions on the = server.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  36. /usr/bin/volcheck f none 4555 root bin 6264 46766 = 904647941=20 SUNWvolu
    setuid(root) periodically checks for mounted = volumes=20 (CD's, floppies). Required for the CDE/DeskTop environment, runs = from a=20 shell script (/usr/dt/bin/sdtvolcheck) started sometime by=20 dtlogin process. Needs to be setuid(root) to = manipulate=20 devices. Allows a casual user on the desktop to use the CD and = floppy=20 drives. Normal use requires full physical access to the system = (user is on=20 the console) but there's nothing to prevent others from running = it.=20

    Requires Volume Management Daemon (vold) to do the real = work.=20

    One should be concerned about letting arbitrary users mount = file=20 systems. Seems dangerous, certainly not required on a multi-user = system=20 with a vt100/dumb console where only the root user at the = console=20 has access to the removable media.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop setuid. Pending further tests.=20
  37. /usr/bin/volrmmount f none 4555 root bin 11176 6812 = 904647942=20 SUNWvolu
    setuid(root) Removable Media mount/unmount -- = force=20 CD/floppy mount/eject through volume manager.=20

    Requires Volume Management Daemon (vold) to do the real = work.=20

    Seems dangerous, certainly not required on a multi-user system = with a=20 secure vt100/dumb console. In general only the root user at = the=20 console should have access to the removable media. But there will = be=20 systems, like personal work stations, where users might want need = this.=20

    Works fine for root user if the setuid is dropped -- = panel pops=20 up when media inserted and ejects fine.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop setuid. But on a personal work station = one might=20 want to leave setuid and accept the risk. =
  38. /usr/bin/write f none 2555 bin tty 11588 16409 907660050 = SUNWcsu=20
    setgid(tty) -- to write a message to a user on = another=20 /dev/tty device (hence setgid). Replaced by much better=20 talk/talkd service.=20

    See also wall.=20

    History:=20
    Abused sometimes to send out false messages, harassing = notes. I'm=20 not aware of any exploits. Low risk but high nuisance value. On = a=20 multi-user system your might restrict access to sysadmin = users.=20

    Recommendation:=20
    Default -- remove the setgid, it's a nuisance. =
  39. /usr/dt/bin/dtaction f none 6555 root sys 24356 11306 = 905581835=20 SUNWdtbas
    setuid(root), setgid(sys) -- to start up a = CDE/Desktop Action from a script, etc. without being part of the = CDE=20 environment. Accepts host and user name arguments suggesting that = you can=20 do this to anyone on any system.=20

    This looks very scary, I don't trust it. It runs fine for me = without=20 the setuid -- I can start up actions on my screen from a CDE = session or=20 from a telnet session on Solaris 2.6.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop setuid/setgid. There seems to be no loss of=20 functionality.
  40. /usr/dt/bin/dtappgather f none 4555 root bin 36180 28912=20 905584158 SUNWdtdte
    setuid(root) Run at CDE login to build a = directory of=20 applications available at the CDE console (Application Manager -- = Customs,=20 DeskTop Apps, DeskTop Controls and Information). If you drop the = setuid=20 those CDE console applications can fail.=20

    It would appear that the setuid is required to create the = directory=20 which contains links back to the user's home directory and to = other file=20 systems. This example is from Solaris 2.6 but I assume the same = applies to=20 Solaris 7:=20 

    [12:10pm xsv] cd =
/var/dt/appconfig/appmanager/reggers-xsv-0/
[12:11pm xsv] ls
total 18
   2 dr-xr-xr-x   2 reggers  other        512 Jun 29 12:01 ./
   2 drwxr-xr-t   3 root     root         512 Jun 29 12:01 ../
   2 lrwxrwxrwx   1 reggers  other         33 Jun 29 12:01 \
      Customs -> /u/reggers/.dt/appmanager/Customs/
   2 lrwxrwxrwx   1 reggers  other         43 Jun 29 12:01 \
      Desktop_Apps -> /usr/dt/appconfig/appmanager/C/Desktop_Apps/
   2 lrwxrwxrwx   1 reggers  other         47 Jun 29 12:01 \
      Desktop_Controls -> =
/usr/dt/appconfig/appmanager/C/Desktop_Controls/
   2 lrwxrwxrwx   1 reggers  other         44 Jun 29 12:01 \
      Desktop_Tools -> /usr/dt/appconfig/appmanager/C/Desktop_Tools/
   2 lrwxrwxrwx   1 reggers  other         42 Jun 29 12:01 \
      Information -> /usr/dt/appconfig/appmanager/C/Information/
   2 lrwxrwxrwx   1 reggers  other         42 Jun 29 12:01 \
      OpenWindows -> /usr/dt/appconfig/appmanager/C/OpenWindows/
   2 lrwxrwxrwx   1 reggers  other         43 Jun 29 12:01 \
      System_Admin -> /usr/dt/appconfig/appmanager/C/System_Admin/

    I've discovered that if you have the directory as above with = all the=20 links in it then CDE runs fine without the setuid on = dtappgather.=20 However, any new CDE user won't be able to create the directory = and links=20 when they login (you'll get a gripe about missing folders in=20 /var/dt/appconfig/appmanager).=20

    The vendor ought to change where it expects to find = these=20 various folders. If they were found in the user's home directory = then=20 there would be no need for the setuid!=20

    History:=20
    From sunos5 package setuid cleared. That doesn't seem right. =

    Recommendation:=20
    Default -- leave it alone; required of CDE.=20

    Safer -- drop the setuid if you don't support CDE sessions.=20

  41. /usr/dt/bin/dtmail f none 2555 bin mail 1543208 51 = 905588168=20 SUNWdtdst
    setgid(mail) DeskTop E-mail application found in = CDE.=20 Setgid(mail) for the same reason mailx and other = mail tools=20 are. Also supports IMAP mode.=20

    History:=20
    Popular mailer packaged with CDE. But many users prefer = pine=20 (if that's their history) or Netscape Communicator.=20

    Recommendation:=20
    Default -- drop the setgid, it shouldn't be required.=20

    Alternative (low risk) -- leave it alone. =

  42. /usr/dt/bin/dtmailpr f none 2555 bin mail 554580 39936 = 905588193=20 SUNWdtdst
    setgid(mail). CDE DeskTop E-mail print = application. I=20 don't see why this is setgid(mail) -- it formats files = (which=20 should belong to the owner) and/or stdin.=20

    History:=20
    Packaged with CDE mailer.=20

    Recommendation:=20
    Default -- drop the setgid, it shouldn't be required.=20
  43. /usr/dt/bin/dtprintinfo f none 4555 root bin 357220 2496=20 905586275 SUNWdtdst
    setuid(root) -- program started when you click = the=20 printer icon on the CDE tool bar. Interacts with vendor print = system, not=20 with xhier BSD replacement. It would appear that all the real work = is done=20 by running other tools (like lpstat or etc.) so it's hard = to see=20 why this is setuid(root). Quick tests on Solaris 2.6 seem = to=20 indicate it works fine without the setuid.=20

    History:=20
    Packaged CDE tool.=20

    Recommendation:=20
    Default -- drop setuid.
  44. /usr/dt/bin/dtsession f none 4555 root bin 147876 21480 = 905581361=20 SUNWdtwm
    setuid(root) -- session manage invoked = immediately=20 after dtlogin (it's dtlogin that presents the = console login=20 panel). Not at all obvious why this needs to be setuid, certainly = not=20 required if no CDE environment is provided (through dtlogin = at=20 console or for X11 stations).=20

    This application manages the CDE application panel which = includes a=20 "lock" icon -- click the icon to lock your screen. It also locks = your=20 screen if you're idle for too long. Terminal locking is what makes = this=20 application a problem.=20

    The setuid is required for CDE terminal locking -- the = usual=20 /etc/shadow problem (you need to be able to read shadow = passwords=20 to authenticate the user). Without the setuid the lock will not = work=20 properly -- you can lock your screen but you can't unlock it as = your=20 dtsession isn't able to read the shadow password file to = verify the=20 password you type to unlock the screen. Of course one can use the=20 xlock application of OpenWindows. That seems to be the only = loss of=20 functionality if you drop the setuid.=20

    On recent PAM compliant versions of Solaris you may have = configured=20 your system to use an authentication method that doesn't require = access to=20 your shadow password file (eg. we authenticate against an NT = domain). If=20 that method doesn't require special privileges then dropping the = setuid=20 can be done with no loss of functionality.=20

    If you can convince your users that CDE isn't secure (and this = is an=20 example of why it's not) then you could get rid of this. You = really ought=20 to get rid of it on back room servers.=20

    History:=20
    There have been security problems (see the unresolved Bugtraq = 2001-04-11=20 vulnerability) and root exploits.=20

    Recommendation:=20
    Default -- leave it alone (would break lock icon of CDE = session) if=20 you're using CDE. I'm uncomfortable with that recommendation but = I see=20 no way of having CDE without having this setuid.=20

    On servers where CDE isn't required and no CDE login sessions = are=20 supported you can safely drop the setuid. Likewise, if you're = using a=20 PAM authentication method that doesn't require root privileges = you can=20 drop the setuid.

  45. /usr/dt/bin/sdtcm_convert f none 6555 root daemon 311576 = 57009=20 905584103 SUNWdtdmn
    setuid(root), setgid(daemon) -- converts=20 OpenWindows calendars from version 3 to 4. Clearly without = calendars to=20 convert, there's no need for the setuid. Likewise, once calendars = have=20 been converted there's no need for the setuid.=20

    History:=20
    From sunos5 package setuid cleared.=20

    Recommendation.=20
    Default -- continue current practice (drop setuid).=20
  46. /usr/lib/acct/accton f none 4755 root adm 5304 53691 = 904647593=20 SUNWaccu
    setuid(root) -- to turn on the process accounting = system. That system is managed by user 'adm' but requires = root=20 access (to prod the kernel when accounting is turned on/off). The=20 adm user watches space utilization from a cron job = and may=20 need to shut down the accounting system when space is tight.=20

    Required if accounting enabled. But can be restricted to = adm=20 group (includes users daemon, root and user = adm).=20 There is no need for everyone to have access.=20

    History:=20
    Very old tool, not aware of any exploits.=20

    Recommendation:=20
    Default -- restrict to the adm group.=20

    Alternative (safer) -- if process accounting is not required, = drop=20 the setuid.

  47. /usr/lib/fs/ufs/quota f none 4555 root bin 15260 53521 = 907660042=20 SUNWcsu
    setuid(root) -- to report user file quota and = usage.=20 Must be setuid to read the quota files. Required tool if you've=20 implemented file quotas.=20

    History:=20
    Very old tool.=20

    Recommendation:=20
    Default -- low risk, required tool (if you have file = quotas).=20

    Alternative (safer) -- drop the setuid (if you don't have = file=20 quotas).

  48. /usr/lib/fs/ufs/ufsdump f none 6555 root tty 163892 32414 = 907660047 SUNWcsu
    setuid(root), setgid(tty) -- to dump file=20 systems to secondary storage. That should only be done by the = root=20 user (to read the devices you need to be root). It's hard = to=20 justify letting anyone other than the root user have access = to this=20 tool. If any user can dump file systems then they can read all = data.=20

    There was a time when user "operator" was doing file = system=20 dumps. These days the Legato Networker has pretty much replaced = this tool.=20 Sites here typically don't use dump/restore anymore.=20

    History:=20
    Very old tool. There have been exploits.=20

    Recommendation:=20
    Default -- No good reason for setuid/setgid, should be = dropped.=20
  49. /usr/lib/fs/ufs/ufsrestore f none 4555 root bin 848088 = 16765=20 907660157 SUNWcsu
    setuid(root) -- to restore file systems dumped to = tape.=20 This should only be done by the root user -- it's hard to = justify=20 letting anyone have root access to this tool.=20

    History:=20
    Setuid cleared from sunos5 package.=20

    Recommendation:=20
    Default -- continue current practice (drop the setuid).=20
  50. /usr/lib/lp/bin/netpr f none 4511 root bin 19564 27112 = 904648274=20 SUNWpsu
    setuid(root) -- This does the host to host file=20 transfer required for printing to remote systems using the = traditional BSD=20 protocol. The sending end (the netpr process) would need to = be=20 root to bind a reserved port. I'm not sure that it needs to = be=20 setuid(root) -- if invoked by an lp command it = should have=20 same effective/real userid.=20

    While the lpsched process runs as user root we = believe=20 that other processes run as user lp. If that's true it = would=20 explain why this print filter is setuid(root).=20

    History:=20
    New in Solaris 2.6=20

    Recommendation:=20
    Leave it alone.
  51. /usr/lib/pt_chmod f none 4111 root bin 4316 527 907659836 = SUNWcsu=20
    setuid(root) -- no manual page, no Answerbook = entry,=20 nothing much to see from strings. I believe it's used by = dtterm to=20 set protection mode and ownership of the pseudo-tty allocated for = the=20 virtual terminal (the pseudo-ttys belong to user root group = sys -- their ownership and mode is changed). I don't see an = exec of=20 when I trace (with truss) the execution of dtterm.=20

    If you drop the setuid then dtterm complains that it is = unable=20 to get a pseudo-tty. You can find a reference to = /usr/lib/pt_chmod=20 if you do a strings on /usr/lib/libc.a. That suggests it's = buried=20 in some function call and may be required by other utilities which = use=20 pseudo-ttys.=20

    History:=20
    Found in Solaris 2.4, perhaps earlier. There have been Sun = patches=20 for early versions.=20

    Recommendation:=20
    Leave it alone -- dropping the setuid would mean = dtterm can't=20 get a pseudo-tty. Other tools may require this as well.=20
  52. /usr/lib/sendmail f none 4555 root bin 643464 24840 = 904647922=20 SUNWsndmu
    setuid(root) -- the mail delivery system. = Requires=20 setuid(root) for several reasons: to open a privileged port = (the=20 SMTP port where mail is received), to read any user's = .forward, to=20 become a user when delivering their mail, etc.=20

    These days Sun has a product "Sun Internet Mail Services" = (SIMS) for=20 large sites. It doesn't use sendmail as the delivery = system. Vendor=20 does provide a reasonably current version but they're still slow = at=20 tracking the public domain version. Eg. recent denial of service = patches=20 for the public domain version weren't available for vendor version = until=20 several weeks later.=20

    History:=20
    Exploits too numerous to mention, vendor didn't track the = public=20 domain work and we always replaced vendor version.=20

    Recommendation:=20
    Default (xhier) -- xhier version tracks the public domain.=20

    Alternative (vendor) --- if you use the vendor version it = must remain=20 setuid and you ought to keep up with patches. =

  53. /usr/lib/utmp_update f none 4555 root bin 8576 57715 = 907660032=20 SUNWcsu
    setuid(root) -- no manual page, no Answerbook = entry and=20 nothing much to see from strings. Seems to have something to do = with=20 utmp data (who is on what tty?).=20

    On Solaris /var/adm/utmp and utmpx files are = managed by=20 the utmpd daemon. Older applications wrote the entries = directly,=20 these days it's done by an API that interfaces via the daemon. No = doubt=20 this tool has something to do with that.=20

    You can find a reference to /usr/lib/utmp_update if you = do a=20 strings on libc.a -- I believe the routines = pututline(3) and=20 pututxline(3) invoke this routine. Like pt_chmod = this seems=20 to be part of an effort to strip the setuid elements out of = dtterm=20 (setting pseudo-tty ownership and recording utmp data requires=20 privileges).=20

    History:=20
    Found in Solaris 2.4, perhaps earlier. There have been Sun = patches=20 for early versions.=20

    Recommendation:=20
    Leave it alone, required by dtterm and perhaps other = programs=20 too (like login).
  54. /usr/lib/uucp/remote.unknown f none 4111 uucp uucp 6156 = 26371=20 904648019 SUNWbnuu
    setuid(uucp) controls UUCP connections. Executed = when=20 an unknown system connects and trys to start a uucico = conversation.=20 It logs the conversation attempt and drop the connection.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  55. /usr/lib/uucp/uucico f none 4111 uucp uucp 168020 913 = 904648078=20 SUNWbnuu
    setuid(uucp) Unix to Unix copy input, copy = output. The=20 daemon who makes UUCP host to host connections and transfers = files. Run=20 regularly from cron by user uucp, also spawned off = by any=20 user who invokes uucp or uux.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  56. /usr/lib/uucp/uusched f none 4111 uucp uucp 34408 51857 = 904648027=20 SUNWbnuu
    setuid(uucp) Unix to Unix scheduling within = crontab of=20 uucico calls. Organizes the cron system a bit.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  57. /usr/lib/uucp/uuxqt f none 4111 uucp uucp 84904 5581 = 904648088=20 SUNWbnuu
    setuid(uucp) Unix to Unix execute daemon. Invoked = by=20 uucico after files transferred between systems. To = implement the=20 server side of the uux command.=20

    See also uucp, uuglist, uuname, uustat, uux, remote.unknown, = uucico,=20 uusched and uuxqt.=20

    Same history/recommendations as for uucp command.=20

  58. /usr/openwin/bin/ff.core f none 6555 root bin 14908 62007 = 903053746 SUNWoldst
    setuid(root), setgid(bin) -- no manual = pages, no=20 Answerbook entry and when invoked it segment faults (that doesn't = bode=20 well). Seems to have something to do with mounting and formatting=20 floppies.=20

    The OpenWindows utility format_floppy (which isn't=20 setuid(root)) seems to be using this setuid tool and others = like=20 eject, to do it's work. We also believe the filemgr=20 component of the CDE DeskTop uses this (perhaps indirectly) to = format=20 floppies.=20

    The root user can format floppies even if the setuid is = dropped.=20

    History:=20
    Part of Openwindows. There are security related patches for = earlier=20 releases (which suggest that it would be prudent to drop the = setuid).=20

    Recommendation:=20
    Default -- drop setuid. But on a personal work station = one might=20 want to leave setuid and accept the risk. =
  59. /usr/openwin/bin/Xsun f none 2755 root root 1993952 42324 = 957761599 SUNWxwplt=20
    setgid(root) -- this is the X11 server. It turns = the=20 console from a dumb old vt100-like device into an X11 display with = keyboard and mouse and all that's done for you if your machine is=20 configured to use dtlogin on the console. In the not so = olden days=20 people logged in to the console as a dumb terminal session and = then=20 started up an X11 session -- that required the setgid to gain = access to=20 the special devices. These days it's no longer required at all.=20

    On a system without a Sun console the utility is useless (we = often=20 strip the console off back room servers and use instead a = dumb/vt100=20 device on a serial port).=20

    History:=20
    There have been security problems (see the unresolved Bugtraq = 2001-04-10=20 vulnerability) and root exploits.=20

    Recommendation:=20
    There is no need for the setgid -- drop it. =
  60. /usr/openwin/bin/kcms_calibrate f none 6755 root bin = 94044 40804=20 900007917 SUNWkcspg
    setuid(root), setgid(bin) -- calibrate the = colors of the console display, requires a special tool that = connects to=20 the serial port and that's held against the screen. Certainly = not a=20 casual user tool, this would be seldom used. It's a once only = effort (if=20 ever).=20

    History:=20
    From sunos5 package setuid cleared. There are security = patches for=20 previous versions of Solaris.=20

    Recommendation:=20
    Default -- continue current practice (drop the setuid).=20
  61. /usr/openwin/bin/kcms_configure f none 6755 root bin = 27752 20868=20 900007823 SUNWkcsrt
    setuid(root), setgid(bin) -- configure the = display. Certainly not a casual user too, this = would only=20 be used once (or if/when the console display is changed).=20

    History:=20
    From sunos5 package setuid cleared. There are security = patches for=20 previous versions of Solaris. There have been security problems = (see the=20 unresolved Bugtraq=20 2001-04-09 and Bugtraq = 2001-04-11=20 vulnerabilities) and published exploits.=20

    Recommendation:=20
    Default -- continue current practice (drop the setuid).=20
  62. /usr/openwin/bin/mailtool f none 2555 root mail 647824 = 63102=20 903048541 SUNWoldst
    setgid(mail). Desk Top E-mail application = predating=20 CDE. Setgid(mail) for same reason mailx and other = mail tools=20 are.=20

    History:=20
    Popular historical mailer but vendor recommended tool is now = CDE=20 dtmail -- much of the original OpenWindows is replaced by = CDE=20 DeskTop tools.=20

    Recommendation:=20
    Default -- drop the setgid, it shouldn't be required.=20

    Alternative (low risk) -- leave it alone. =

  63. /usr/openwin/bin/sys-suspend f none 4775 root bin 42904 = 22260=20 902189829 SUNWpmowu
    setuid(root). To "suspend" the system (a kind of = soft=20 shutdown to conserve power) -- the system comes back up with a = locked=20 screen. Default configuration allows whoever is on the console to = use this=20 command. Useful on portables where there's a very few users. Scary = on a=20 multi-user server.=20

    History:=20
    Seldom used.=20

    Recommendation:=20
    Default -- remove the setuid (especially on any multi-user = system).=20

    Alternative (risky) -- Might be acceptable on a desktop. = Probably Ok=20 on a portable.

  64. /usr/openwin/bin/xlock f none 4775 root bin 67920 60222 = 904169470=20 SUNWxwplt
    setuid(root). To lock your X11 screen. Must be=20 setuid(root) to get access to shadow password file. Should = be PAM=20 aware -- it isn't. This isn't the lock used by the CDE panel.=20

    It's no longer a required tool as there is the CDE replacement. = No=20 doubt there are many users who still expect it to work. Dropping = the=20 setuid could break things real bad -- you wouldn't be able to = unlock a=20 screen because the program wouldn't be able to read your password! =

    History:=20
    Required tool, often replaced with a version without the = animation=20 and with a timeout. Sometimes abused in labs. There were = security=20 problems where people could break an xlock but those have = been=20 fixed.=20

    Recommendation:=20
    Default -- leave alone, it's a low risk and lots of people = are still=20 using it.
  65. /usr/openwin/lib/mkcookie f none 4755 root bin 24176 = 48264=20 904029727 SUNWxwplt
    setuid(root). No manual page, no AnswerBook = entry.=20 Seems to be part of X11 magic-cookie authorization mechanism (who = can=20 access my X11 server?) -- apparently the X server runs this to = generate a=20 cookie. Seems to be pre-CDE where consoles didn't have = dtlogin --=20 user logged into console and ran an "openwin" script that = started=20 up the X11 server, set cookies, etc. With dtlogin this is = obsolete,=20 with CDE pretty much all of OpenWindows is obsolete. Actually = that's a=20 hasty comment -- Xsun is still found under = /usr/openwin.=20

    If you run the command without arguments you get some = information about=20 usage with a warning that you can really screw things up.=20

    If stripped of the setuid a Solaris 7 system boots fine and = presents=20 the login panel. The X server in that case is started by the = root=20 user.=20

    History:=20
    OpenWindows crude interface to X11.=20

    Recommendation:=20
    Default -- drop setuid.
  66. /usr/platform/sun4m/sbin/eeprom f none 2555 bin sys 11664 = 37543=20 904647602 SUNWkvm
    setgid(sys) to display EPROM configuration -- = opens=20 /dev/openprom which is readable by group sys. Need = to be=20 root to set EPROM values. There's no need for casual access = to this=20 tool. System managers need to see this information but can as user = root.=20

    Note there are several different hardware platforms (sun4u is = an=20 UltraSparc, sun4m is a Sparc). You'll find the eeprom = program in a=20 platform specific location.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    Current practice is to leave as provided.=20

    Recommendation:=20
    Default -- drop the setgid.
  67. /usr/sbin/allocate f none 4755 root bin 17584 53906 = 907660121=20 SUNWcsu
    We don't know what this is for. Manual suggests it has=20 something to do with device management (to make sure devices = belong to the=20 right person) but is only relevant if the "Basic Security Module = (BSM)"=20 has been activated.=20

    I've not seen this tool on other versions of Unix. The SUNWcsu = package=20 seems to be all of the "standard" Unix distribution. It's usually=20 understood that the directory /usr/sbin is there for = rebooting the=20 system in single user mode where setuid seems silly -- you are the = root user.=20

    History:=20
    Don't know. I'm not aware of any bugs, not aware of any use. =

    Recommendation:=20
    Drop the setuid until there's a demonstrated need.=20
  68. /usr/sbin/arp f none 2555 root bin 8424 57070 907660135 = SUNWcsu=20
    setgid(bin) -- displays the ARP table. ARP stands = for=20 Address Resolution Protocol. The table consists of mappings = to/from=20 ethernet addresses and IP numbers that are either loaded at = boot-time=20 (from /etc/ethers) or learned from the net during normal=20 operations. I'll assume ethernet -- with other network media the = table=20 will vary. This works well enough without the setgid.=20

    History:=20
    Don't know of any exploits, but practice at UW has been to = remove=20 setgid from os-extras package=20

    Recommendation:=20
    Default -- current practice works well and is safest = strategy. Drop=20 the setgid.
  69. /usr/sbin/lpmove f none 4511 root lp 6940 56454 904647858 = SUNWpcu=20
    setuid(root) -- so users can move jobs from one = print=20 queue to another. Seldom used and limited to local queues -- you = cannot=20 move jobs once they've been sent to another site (and often = printers are=20 central with lots of clients spooling to them).=20

    See also cancel, lp, lpset, lpstat, lpmove.=20

    History:=20
    See history of SysV /usr/bin/cancel.=20

    Recommendation:=20
    Default -- you can drop the setuid without affecting very = much.=20 Users can always lprm and resubmit in those very = rare=20 instances where they'd need this command. =
  70. /usr/sbin/mkdevalloc f none 4755 root bin 9992 24309 = 907660121=20 SUNWcsu
    setuid(root) -- We don't know what this does. No = manual=20 page, nothing in the Answerbook. Seems to take no arguments and = behaves=20 the same without the setuid.=20

    I believe this has something to do with the dynamic management = of=20 floppy disks. But that seems to work well enough without the = setuid. If=20 that's correct it's certainly not required on a multi-user system = with a=20 secure vt100/dumb console. In general only the root user at = the=20 console should have access to the removable media. But there will = be=20 systems, like personal work stations, where users might want need = this.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop setuid. But on a personal work station = one might=20 want to leave setuid and accept the risk. =
  71. /usr/sbin/mkdevmaps f none 4755 root bin 10244 29117 = 907660121=20 SUNWcsu
    setuid(root) -- We don't know what this does. No = manual=20 page, nothing in the Answerbook. Seems to take no arguments and = behaves=20 the same without the setuid.=20

    I believe this has something to do with the dynamic management = of=20 floppy disks. But that seems to work well enough without the = setuid. If=20 that's correct it's certainly not required on a multi-user system = with a=20 secure vt100/dumb console. In general only the root user at = the=20 console should have access to the removable media. But there will = be=20 systems, like personal work stations, where users might want need = this.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop setuid. But on a personal work station = one might=20 want to leave setuid and accept the risk. =
  72. /usr/sbin/ping f none 4555 root bin 20404 7748 907660150 = SUNWcsu=20
    setuid(root) -- send ICMP ping packets to other = systems=20 to test network connectivity.=20

    History:=20
    Historical tool since the beginning of IP networking, used = by many.=20

    Recommendation:=20
    Default -- leave alone, too many people use it. =
  73. /usr/sbin/pmconfig f none 4555 root bin 14420 37734 = 904647782=20 SUNWpmu
    setuid(root) -- configure power management = system. Ran=20 automatically at boot time and should be run manually when=20 /etc/power.conf changes. Since changing = /etc/power.conf=20 would require root access there's no need for this to be = setuid.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop the setuid.=20

    Alternative -- leave the setuid but restrict to the = sysadmin=20 group and don't others have any access. =

  74. /usr/sbin/sacadm f none 4755 root sys 23048 31363 = 907659908=20 SUNWcsu
    setuid(root) -- service access controller=20 administration for managing login devices (/dev/tty = terminals on=20 serial lines). Casual users can get status information, = root user=20 can change things.=20

    History:=20
    SAC is SysV replacement for getty, gettytab of BSD = systems.=20

    Recommendation:=20
    Default -- drop the setuid.=20

    Alternative -- leave the setuid but restrict to the = sysadmin=20 group and don't let others have any access. =

  75. /usr/sbin/sparcv7/dmesg f none 2555 bin sys 6552 62403 = 904647583=20 SUNWesu
    setgid(sys) to do kernel peeking for console log = of=20 device configuration. Manual page says it's made obsolete by=20 syslogd. Nothing interesting for the casual user, but = important=20 data for system managers (who could get the information as user=20 root).=20

    This is the real executable behind /usr/sbin/dmesg which = is not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/sbin/dmesg=3D../../usr/lib/isaexec l none =
SUNWesu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    Some sites drop the setgid (a standard within MFCF).=20

    Recommendation:=20
    Default -- drop the setgid.
  76. /usr/sbin/sparcv7/prtconf f none 2555 root sys 19508 = 49451=20 907659865 SUNWcsu
    setgid(sys) to do kernel peeking for system=20 configuration, devices and drivers. Not too interesting to the = casual=20 user, essential for system administrators (but similar information = elsewhere).=20

    This is the real executable behind /usr/sbin/prtconf = which is=20 not setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/sbin/prtconf=3D../../usr/lib/isaexec l none =
SUNWcsu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop the setgid.
  77. /usr/sbin/sparcv7/swap f none 2555 bin sys 9848 44308 = 907659953=20 SUNWcsu
    setgid(sys) to do kernel peeking for swap data.=20 Root user can add/delete swap space with this tool -- = others can=20 only see results. Not of interest to the casual user. Some = interest to=20 system admin types who can get the information as root.=20

    Much of the information provided is available with the = top=20 command which runs setuid(root) (that's not a vendor tool, = we=20 package it through xhier).=20

    This is the real executable behind /usr/sbin/swap which = is not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/sbin/swap=3D../../usr/lib/isaexec l none =
SUNWcsu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop the setgid.
  78. /usr/sbin/sparcv7/sysdef f none 2555 root sys 24728 17046 = 907659982 SUNWcsu
    setgid(sys) to do kernel peeking for all sorts of = kernel parameters. Can only read kernel parameters. Not of = interest to the=20 casual user, essential tool for system administrator.=20

    This is the real executable behind /usr/sbin/sysdef = which is not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/sbin/sysdef=3D../../usr/lib/isaexec l none =
SUNWcsu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    See also netstat, ipcs, eeprom, dmesg, prtconf, swap, = sysdef.=20

    History:=20
    Don't know.=20

    Recommendation:=20
    Default -- drop the setgid.
  79. /usr/sbin/sparcv7/whodo f none 4555 root bin 12948 26594=20 907660052 SUNWcsu
    setuid(root) -- Tells you who is doing what. Sort = of a=20 combination of ps and who data. Quick tests on Solaris 2.6 and 2.7 = indicate it works fine without the setuid.=20

    This is the real executable behind /usr/sbin/whodo which = is not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/sbin/whodo=3D../../usr/lib/isaexec l none =
SUNWcsu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    History:=20
    It's been around for a very long while.=20

    Recommendation:=20
    Default -- can safely drop the setuid. =
  80. /usr/sbin/static/rcp f none 4555 root bin 691620 36238 = 904648043=20 SUNWsutl
    setuid(root) version of rcp without dynamic links = (another version of /usr/bin/rcp). Seems to be for system=20 administrators in single-user mode, but we assume only every once = in a=20 while and aren't they user root then anyways? We can see no = good=20 reason for having this setuid.=20

    History:=20
    /usr/sbin/static is new to Solaris 2.7=20

    Recommendation:=20
    Default -- remove the setuid.
  81. /usr/sbin/traceroute f none 4555 root bin 22056 62646 = 907660449=20 SUNWcsu
    setuid(root) required to muck with interface=20 configuration parameters and send ICMP packets. It's not clear = that casual=20 users need this tool.=20

    History:=20
    New in Solaris 2.7. Traceroute used to be an xhier addition = in the=20 package 'netdiag'. Not aware of any security problems.=20

    Recommendation:=20
    Default -- leave as setuid (follows existing xhier = practice).=20

    Alternative (safer) -- drop setuid(root) or restrict = to the=20 sysadmin group.

  82. /usr/sbin/wall f none 2555 bin tty 10144 15686 907660040 = SUNWcsu=20
    setgid(tty) -- write a message to all = /dev/tty=20 devices (everywhere there's someone logged in). Useful to send out = panic=20 notes -- "system going down in 5 minutes, please logout". I think = it's the=20 back door to rwall (remote wall).=20

    See also write.=20

    History:=20
    Abused sometimes to send out false messages, harassing = notes, etc.=20 But I'm not aware of any real security problems.=20

    Recommendation:=20
    Default -- drop the setgid so only user root can = broadcast=20 messages. A minor inconvenience for system administrators and = operators.=20

    Alternative (safe) -- setuid(root) and restrict to the = sysadmin group.

  83. /usr/ucb/sparcv7/ps f none 4555 root sys 23060 59913 = 904648538=20 SUNWscpu
    setuid(root) Peaks at kernel tables to display = process=20 stats.=20

    This is the real executable behind /usr/ucb/ps which is = not=20 setuid. On Solaris 2.7 that's a hard link to=20 

    /usr/ucb/ps=3D../../usr/lib/isaexec l none =
SUNWscpu
    isaexec=20 finds the right image and runs it. There are several different = Instruction=20 Set Architectures ISA's (sparcv7 is for traditionally 32-bit Sparc = chips,=20 sparcv9 is for the UltraSparc). You'll find this program in an ISA = specific location.=20

    History:=20
    Programs accepting sensitive data as command line arguments = are=20 subject to snooping with this tool. The BSD version is = deprecated with=20 the SysV version in /usr/bin favored by the vendor and by = xhier=20 default paths.=20

    Recommendation:=20
    Default -- safe enough, don't worry.
  84. /usr/vmsys/bin/chkperm f none 6755 bin bin 10080 40420 = 904647701=20 SUNWfac
    setuid(bin)/setgid(bin) -- "SUNWfac" is the = "optional=20 FACE package"=20 
    [2:28pm sun570] pkginfo -l SUNWfac |egrep =
'NAME:|DESC:'
      NAME:  Framed Access Command Environment
      DESC:  utilities and resources for a Form and \
             Menu Language Interpreter (FMLI) execution \
             environment

    That's a character based package that is built on top of curses = to make=20 handling complex character displays easier. It was documented it = in=20 Solaris 2.1; see also "man face". Seems to have ATT (System V) = origins.=20

    It seems odd to have this one program setuid to bin.=20 Compromising user bin (or group bin) can give one = control of=20 important file systems.=20

    History:=20
    Old curses based tool.=20

    Recommendation:=20
    Drop the setuid and only restore it if there's a = demonstrated need.=20
A Bourne= Shell=20 script to implement these recommendations is available (suitable = for=20 systems at UW and perhaps elsewhere) -- it can easily be edited to = implement=20 your choices.

Other Setuid/Setgid files

Those responsible for the security of a computer system = should=20 make an effort to identify all the setuid/setgid files on their = systems. No=20 doubt your system may include files that aren't installed on the = system we=20 used.=20

When you encounter files in other packages we would appreciate = knowing=20 about them so we can make recommendations about how best to deal with = them.=20 Your input in that process is very much appreciated. Submissions to = the author=20 are gratefully received.

Credits

The recommendations given here are a rough consensus of = informed=20 staff within UW/IST who have some Solaris expertise. Bruce Lennox, = Patrick=20 Matlock, Dawn Whiteside and the author met several times to discuss = the=20 recommendations and find a consensus. We've pooled our knowledge to = come up=20 with reasonable recommendations that can safely be implemented with = minimal=20 disruption --- this paper is our best advice.=20

An early version of this paper was discussed with Mike Borkowski, = Brian=20 Cameron, Martin Timmerman and the staff already mentioned. Finally, = many=20 thanks to Southwest Sun Inc. and especially to Ellen Smout for the = kind help=20 provided on tools we could not fathom.

Revision History

29-Jun-1999: Polished/Reviewed/Published on web.=20

18-Aug-2000: Reviewed while writing a follow up for = Solaris 8.=20 Discovered a dumb omission (no doubt an error on my part) --=20 /usr/open/bin/Xsun has been added. In the interim some vendor = patches=20 have changed permissions -- /usr/bin/dmesg is no longer setuid. = Some=20 cosmetic changes and minor typos. Recommendations have not changed.=20

07-Nov-2000: Bruce Campbell discovered these setuid = programs on=20 his Solaris 7 system:=20

  • afbconfig - configure the AFB Graphics Accelerator=20
  • ffbconfig - configure the FFB Graphics Accelerator=20
  • igsconfig - configure the IGS Graphics Adaptor=20
  • m64config - configure the M64 Graphics Accelerator=20
  • pgxconfig - configure the PGX32 (Raptor GFX) Graphics = Accelerator=20
We've seen these on Solaris 8 and make the same = recommendations here=20 -- remove the setuid. These, like the kcms_configure tool, = should not=20 be left. The script has been updated to include these.=20

09-Nov-2000: shell script for dealing with issues is now = portable=20 -- no xhier requirements.=20

04-May-2001: Bugtraq problems with ipcs, kmcs_configure, = mailx,=20 tip, Xsun and dtsession confirm our recommendations. Xsun is a new one = -- it=20 ought not to be setuid. Dtsession is a nasty one.

Reg=20 Quinton, Information Systems = and=20 Technology,
1999/04/21-2001/05/04 =
------=_NextPart_000_002D_01C16CE7.88F6DED0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21 AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5 peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S 9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs= ------=_NextPart_000_002D_01C16CE7.88F6DED0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/icons/hand.right.gif R0lGODlhFAAWAMIAAP/////Mmcz//5lmMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRo ZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIg MTk5NQAh+QQBAAACACwAAAAAFAAWAAADTCi63P4wykkdubiSwDuRVydi5CWEYjBsKbe2rDjMdMwR w1iaaZx7jcDm8nOpVsFjsSh0CFuq46fxko0eKOtsiu0UuRHfVlOqmM9oSgIAOw== ------=_NextPart_000_002D_01C16CE7.88F6DED0 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg /9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4 QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD///// ////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP////// //////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV 5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1 4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0 QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k= ------=_NextPart_000_002D_01C16CE7.88F6DED0--