From owner-freebsd-security  Tue Jul 16 08:06:14 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA00973
          for security-outgoing; Tue, 16 Jul 1996 08:06:14 -0700 (PDT)
Received: from www.trifecta.com (www.trifecta.com [206.245.150.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA00966;
          Tue, 16 Jul 1996 08:06:11 -0700 (PDT)
Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id LAA20845; Tue, 16 Jul 1996 11:04:23 -0400 (EDT)
Date: Tue, 16 Jul 1996 11:04:23 -0400 (EDT)
From: Dev Chanchani <dev@trifecta.com>
To: Brian Tao <taob@io.org>
cc: Poul-Henning Kamp <phk@FreeBSD.ORG>,
        FREEBSD-SECURITY-L <freebsd-security@FreeBSD.ORG>
Subject: Re: suidness of /usr/bin/login
In-Reply-To: <Pine.NEB.3.92.960715223420.8904G-100000@zap.io.org>
Message-ID: <Pine.BSF.3.91.960716110258.20833A-100000@www.trifecta.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 15 Jul 1996, Brian Tao wrote:

>     Does /usr/bin/login need to be setuid root?  Since it is normally
> only called by telnetd (which already runs as root), does it have to
> be setuid root as well?  What else uses it?  xterm (which itself is
> also setuid root)?
k

/usr/bin/login only needs to be suid root for people to "re-login" so 
their uid can be set. If the only users on your system that need to su 
are in the wheel group, you can take the suid bit of /usr/bin/login. 
xterm does not need to be suid if users do not run xwindows.

Dev Chanchani <dev@trifecta.com>
http://www.interactive.trifecta.com