#
# Lets take a look at setuid0 programs, first
#
ping, traceroute
	ping programs
	NET_RAW, NET_BROADCAST
	none
	.
	sl

fping
	ping programs
	NET_RAW, NET_BROADCAST
	none
	.
	0l

mount, umount, fdmount
	mount utilities
	SYS_ADMIN
	none
	.
	.

su, login
	user login
	SETUID, SETGID
	ro /etc/shadow
	.
	.

newgrp
	group login
	SETGID
	ro /etc/gshadow
	.
	.

rcp, rlogin, rsh, ssh1
	remote login
	NET_BIND_SERVICE
	none
	.
	s

cons.saver
	vcsa access wrapper for midnight
	none
	rw /dev/vcsa*
	Older versions of cons.saver need r/w access to /dev/tty, fixed in 4.5.32.
	s

gpasswd
	setting of group information
	none
	rw /etc/{group,gshadow}
	.
	.

chfn, chsh, passwd, chage
	setting of user information
	none
	rw /etc/{passwd,shadow}
	.
	.

screen, xterm
	terminals
	none
	rw /var/run/{utmp,wtmp}
	.
	.

ncpmount, ncpumount, nwsfind
	netware utilities
	SYS_ADMIN, NET_RAW
	none
	.
	l

XF86_*, Xwrapper
	X-windows servers
	NET_BIND_SERVICE, SYS_RAWIO
	none
	.
	0

lpr, lprm, lpq, lpc
	printer spooling
	none
	rw *
	I'm not sure what they really need to access
	.

sendmail
	mail handler
	NET_BIND_SERVICE
	none
	.
	s

procmail
	mail delivery
	SETUID
	rw *
	I'm not sure about this one
	.

at, crontab
	Scheduling of jobs for later execution
	none
	rw *
	They only need special fs rights but I'm not sure which rights. Unfortunately, breaking into these gives you full root few seconds later, so...
	.

suidperl, sperl*
	Perl setuid handler
	ALL
	ALL
	No workaround for this one, they really need full root by design.
	.

pppd
	Point-to-point protocol handler
	none
	none
	It is setuid root but executable only by group root. I wonder what this can be good for?
	.

dga, xload, expiry
	Miscelaus
	none
	none
	probably unneccessary
	.

zgv
	SVGAlib programs
	none
	none
	These programs are unsafe by design. They usually drop uid0 at the beggining, but that is not enough as they keep /dev/kmem open. <B>Bad, bad.</B> [They would like SYS_RAWIO and rw /dev/kmem for their function, but as they are designed to be security hole I think we better warn about them.]
	.

#
# Daemons running with uid==0 come to mind, next
#
init
	System runlevel changer
	ALL
	ALL
	.
	d

gpm, syslogd, klogd, cardmgr, bdflush, *getty, cron
	Basic system daemons
	ALL
	ALL
	.
	d

portmap
	Port mapping service for rpc
	NET_BIND_SERVICE
	none
	.
	d

inetd, munetd
	Launchers of other daemons
	ALL
	ALL
	.
	d

sshd, rpc.nfsd, rpc.mountd, rpc.rstatd, ftpd, in.telnetd, in.rshd, in.rlogind, in.rexecd, in.ntalkd, in.talkd, bootps, cucipop, *finger*
	internet services
	ALL
	ALL
	I'm sure some of these can run with lower priviledges
	d

identd, tftp
	internet services
	none
	none
	These are internet services that were configure to run non-root on my system
	d

#
# Trap for everything unknown
#
*
	unknown to me
	none
	none
	I do not know this programs, feel free to add them to <TT>capbase.txt</TT> and mail me resulting file
	.