This file is automatically generated from capbase by capdump. Do not modify, unless you want your changes discarded. Generated at Sat May 15 14:25:27 MET DST 1999 on Linux atrey 2.0.35 #4 Thu Sep 24 20:10:58 MET DST 1998 i586.
| Programs | Which are good for | Caps needed | FS rights needed | Comment |
| ping, traceroute | ping programs | NET_RAW, NET_BROADCAST | none | . (sure!) (maybe less?) |
| fping | ping programs | NET_RAW, NET_BROADCAST | none | . (maybe less?) (does getuid and expects 0) |
| mount, umount, fdmount | mount utilities | SYS_ADMIN | none | . |
| su, login | user login | SETUID, SETGID | ro /etc/shadow | . |
| newgrp | group login | SETGID | ro /etc/gshadow | . |
| rcp, rlogin, rsh, ssh1 | remote login | NET_BIND_SERVICE | none | . (sure!) |
| cons.saver | vcsa access wrapper for midnight | none | rw /dev/vcsa* | Older versions of cons.saver need r/w access to /dev/tty, fixed in 4.5.32. (sure!) |
| gpasswd | setting of group information | none | rw /etc/{group,gshadow} | . |
| chfn, chsh, passwd, chage | setting of user information | none | rw /etc/{passwd,shadow} | . |
| screen, xterm | terminals | none | rw /var/run/{utmp,wtmp} | . |
| ncpmount, ncpumount, nwsfind | netware utilities | SYS_ADMIN, NET_RAW | none | . (maybe less?) |
| XF86_*, Xwrapper | X-windows servers | NET_BIND_SERVICE, SYS_RAWIO | none | . (does getuid and expects 0) |
| lpr, lprm, lpq, lpc | printer spooling | none | rw * | I'm not sure what they really need to access |
| sendmail | mail handler | NET_BIND_SERVICE | none | . (sure!) |
| procmail | mail delivery | SETUID | rw * | I'm not sure about this one |
| at, crontab | Scheduling of jobs for later execution | none | rw * | They only need special fs rights but I'm not sure which rights. Unfortunately, breaking into these gives you full root few seconds later, so... |
| suidperl, sperl* | Perl setuid handler | ALL | ALL | No workaround for this one, they really need full root by design. |
| pppd | Point-to-point protocol handler | none | none | It is setuid root but executable only by group root. I wonder what this can be good for? |
| dga, xload, expiry | Miscelaus | none | none | probably unneccessary |
| zgv | SVGAlib programs | none | none | These programs are unsafe by design. They usually drop uid0 at the beggining, but that is not enough as they keep /dev/kmem open. Bad, bad. [They would like SYS_RAWIO and rw /dev/kmem for their function, but as they are designed to be security hole I think we better warn about them.] |
| init | System runlevel changer | ALL | ALL | . (daemon) |
| gpm, syslogd, klogd, cardmgr, bdflush, *getty, cron | Basic system daemons | ALL | ALL | . (daemon) |
| portmap | Port mapping service for rpc | NET_BIND_SERVICE | none | . (daemon) |
| inetd, munetd | Launchers of other daemons | ALL | ALL | . (daemon) |
| sshd, rpc.nfsd, rpc.mountd, rpc.rstatd, ftpd, in.telnetd, in.rshd, in.rlogind, in.rexecd, in.ntalkd, in.talkd, bootps, cucipop, *finger* | internet services | ALL | ALL | I'm sure some of these can run with lower priviledges (daemon) |
| identd, tftp | internet services | none | none | These are internet services that were configure to run non-root on my system (daemon) |
| * | unknown to me | none | none | I do not know this programs, feel free to add them to capbase.txt and mail me resulting file |
[meta-]Created by Pavel Machek.