glfs/basicnet/netutils/traceroute/traceroute-exp.xml

<sect2>
<title>Command explanations</title>

<para><screen><userinput>sed 's|@prefix@|/usr|' Makefile.in &gt; Makefile.in~ mv Makefile.in~ Makefile.in :</userinput></screen>
Adjusts the Makefile so that traceroute will be installed in /usr/sbin 
instead of /usr/local/sbin, which is where the default 
installation puts it.</para>

<para><userinput>make install: </userinput> Installs traceroute setuid root 
in the /usr/sbin directory. This makes it possible for all users to execute 
traceroute. For absolute security, turn off the setuid bit in traceroute's 
file permissions with the command 
<screen><userinput>chmod 0755 /usr/sbin/traceroute</userinput></screen></para>

<para>The risk is that if a security problem such as a buffer overflow were 
ever found in the traceroute code, a regular user on your system could gain 
root access if the program is setuid root. Removing the setuid permission 
of course also makes it impossible for users other than root to utilize 
traceroute, so decide what's right for your individual situation.</para>

<para>Now, to be completely FHS compliant, as is our aim, if you do leave the 
traceroute binary setuid root, then you should move traceroute to /usr/bin 
with the following command: 
<screen><userinput>mv /usr/sbin/traceroute /usr/bin</userinput></screen></para>

<para>This ensures that the binary is in the path for non-root users.</para>

</sect2>
Initial revision git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3 af4574ff-66df-0310-9fd7-8a98e5e911e0 2002-07-08 04:28:42 +08:00			`<sect2>`
			`<title>Command explanations</title>`

			`<para><screen><userinput>sed 's\|@prefix@\|/usr\|' Makefile.in > Makefile.in~ mv Makefile.in~ Makefile.in :</userinput></screen>`
			`Adjusts the Makefile so that traceroute will be installed in /usr/sbin`
			`instead of /usr/local/sbin, which is where the default`
			`installation puts it.</para>`

			`<para><userinput>make install: </userinput> Installs traceroute setuid root`
			`in the /usr/sbin directory. This makes it possible for all users to execute`
			`traceroute. For absolute security, turn off the setuid bit in traceroute's`
			`file permissions with the command`
			`<screen><userinput>chmod 0755 /usr/sbin/traceroute</userinput></screen></para>`

			`<para>The risk is that if a security problem such as a buffer overflow were`
			`ever found in the traceroute code, a regular user on your system could gain`
			`root access if the program is setuid root. Removing the setuid permission`
			`of course also makes it impossible for users other than root to utilize`
			`traceroute, so decide what's right for your individual situation.</para>`

			`<para>Now, to be completely FHS compliant, as is our aim, if you do leave the`
			`traceroute binary setuid root, then you should move traceroute to /usr/bin`
			`with the following command:`
			`<screen><userinput>mv /usr/sbin/traceroute /usr/bin</userinput></screen></para>`

			`<para>This ensures that the binary is in the path for non-root users.</para>`

			`</sect2>`