Per default there are too much binaries with set SUID root bit. Would be nice to have a choice (USE="-suidroot"). The other and IMHO better Option would be to disable SUID root per default and only let the User enable it.
Maybe su or sudo should be left SUID root.
mount -o nosuid may also be an option. Als a seperate partition with suid root binaries would be a great improvement
Steps to Reproduce:
1. find / -perm -4000 > suid.root
You get a long list of suid root programms such as xterm!(?) ping etc.
Only su or sudo should be setuid root per default.
Portage 2.0.50-r9 (default-x86-2004.2, gcc-3.3.3, glibc-188.8.131.5240420-r0,
System uname: 2.4.25_pre7-gss-r8 i686 AMD Athlon(tm) MP 1500+
Gentoo Base System version 1.4.16
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
CFLAGS="-s -Os -march=athlon-mp -mcpu=athlon-mp -pipe -mmmx -msse -m3dnow
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config
/usr/share/texmf/xdvi/ /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-s -Os -march=athlon-mp -mcpu=athlon-mp -pipe -mmmx -msse -m3dnow
FEATURES="autoaddcvs buildpkg ccache distcc fixpackages sandbox"
USE="3dnow X X.org aalib alsa apm avi berkdb bonobo bttv cdr crypt cups db dvd
dvdr encode f77 foomatic foomaticdb gdbm gif gimp gimpprint gmp gnome gpm gtk
gtk2 gtkhtml guile imap imlib java jpeg lame ldap lesstif libg++ libwww lirc mad
mbox mikmod mmx mng motif mozilla mp3 mpeg ncurses nls odbc ogg oggvorbis oss
pam pdf pdflib perl png ppds ps python quicktime readline ruby samba sane sasl
scanner sdl slang slp spell sse ssl svcd svga tcltk tcpd tetex tiff truetype v4l
vanilla vcd video_cards_rage128 vim wmf x86 xml2 xmms xv zlib"
With that find command you'll find not only programs which are suid to some other user than root (which is still bad, but nearly as much as UID 0) and dirctories which have the sticky bit. Calling the latter a security issue by default is a bit harsh, IMO.
Oh, and there are programs which enhance security by being suid root. gpg for example.
Ok, you may add a -type f to the find command. And yes it may be a good idea to let gpg be set suid root. But why not let the user decide? Or just drop a note while emerging?
Thos notes tend to get lost. While there is no accepted mechanism to make sure all einfos are read... I don't know, I'd feel uneasy both ways.
There is nothing that the Security Team can do to solve that problem as a whole. Some (most) of the programs that have the root SUID set need it. You will break them if you don't have it. So it's a reasonable default to have it set for these packages, and you still have the option of removing it (and break the corresponding packages).
If you identify a specific package that has unnecessary root SUID programs, please file a bug for that package (component = Ebuilds) specifically, that way you will be able to convince the package maintainer that this is superfluous.
If you want a global "suidroot" USE flag and want to have every ebuild conform to it, you should bring up a discussion on the gentoo-dev mailing-list and try to convince Gentoo Developers that it is a good idea. Because if it's not accepted by all or part of Gentoo ebuild policy, some ebuilds will not respect it and it won't be useful.
There is an undocumented feature called suidctl which will remove the sbit from every app at install time unless it's in the allowed list which is defined in /etc/portage/suidctl.conf
mkdir -p /etc/portage
echo '#' >> /etc/portage/suidctl.conf
FEATURES=suidctl emerge beep ; # for example
>>> Preforming suid scan in /var/tmp/portage-pkg/beep-1.2.2/bin
>>> Removing sbit on non registered /usr/bin/beep
>>> Appending commented out entry to /etc/portage/suidctl.conf for beep-1.2.2
ls -l `which beep`
-rwx--x--x 1 root root 10048 Aug 4 17:10 /usr/bin/beep
That should give you the fine grained control your looking for.
Thanks, thats exactly what I'm looking for.