2002-07-08 04:28:42 +08:00
|
|
|
<sect2>
|
|
|
|
|
<title>Command explanations</title>
|
|
|
|
|
|
2002-08-06 23:13:49 +08:00
|
|
|
<para><screen><userinput>sed 's/-o bin/-o root/' :</userinput></screen>
|
|
|
|
|
Adjusts the Makefile so that the program is installed with user root instead
|
|
|
|
|
of user bin (which doesn't exist on a default LFS system).</para>
|
2002-07-08 04:28:42 +08:00
|
|
|
|
|
|
|
|
<para><userinput>make install: </userinput> Installs traceroute setuid root
|
|
|
|
|
in the /usr/sbin directory. This makes it possible for all users to execute
|
|
|
|
|
traceroute. For absolute security, turn off the setuid bit in traceroute's
|
|
|
|
|
file permissions with the command
|
|
|
|
|
<screen><userinput>chmod 0755 /usr/sbin/traceroute</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>The risk is that if a security problem such as a buffer overflow were
|
|
|
|
|
ever found in the traceroute code, a regular user on your system could gain
|
|
|
|
|
root access if the program is setuid root. Removing the setuid permission
|
|
|
|
|
of course also makes it impossible for users other than root to utilize
|
|
|
|
|
traceroute, so decide what's right for your individual situation.</para>
|
|
|
|
|
|
|
|
|
|
<para>Now, to be completely FHS compliant, as is our aim, if you do leave the
|
|
|
|
|
traceroute binary setuid root, then you should move traceroute to /usr/bin
|
|
|
|
|
with the following command:
|
|
|
|
|
<screen><userinput>mv /usr/sbin/traceroute /usr/bin</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>This ensures that the binary is in the path for non-root users.</para>
|
|
|
|
|
|
|
|
|
|
</sect2>
|
|
|
|
|
|
