glfs/basicnet/netutils/traceroute/traceroute-exp.xml

<sect2>
<title>Command explanations</title>

<para><screen><command>sed 's/-o bin/-o root/'...</command></screen>
Adjusts the <filename>Makefile</filename> so that the program is installed 
with user root instead of user bin (which doesn't exist on a default
<acronym>LFS</acronym> system).</para>

<para><command>make install</command>: Installs <command>traceroute</command> 
setuid root in the <filename>/usr/sbin</filename> directory. This makes it 
possible for all users to execute <command>traceroute</command>. For absolute 
security, turn off the setuid bit in <command>traceroute</command>'s file 
permissions with the command: 
<screen><command>chmod 0755 /usr/sbin/traceroute</command></screen></para>

<para>The risk is that if a security problem such as a buffer overflow were 
ever found in the <application>Traceroute</application> code, a regular user 
on your system could gain root access if the program is setuid root. Removing 
the setuid permission of course also makes it impossible for users other than 
root to utilize <command>traceroute</command>, so decide what's right for your 
individual situation.</para>

<para>Now, to be completely <acronym>FHS</acronym> compliant, as is our aim, if 
you do leave the <command>traceroute</command> binary setuid root, then you 
should move <filename>traceroute</filename> to <filename>/usr/bin</filename> 
with the following command: 
<screen><command>mv /usr/sbin/traceroute /usr/bin</command></screen></para>

<para>This ensures that the binary is in the path for non-root users.</para>

</sect2>