Re: setuid/setgid binaries contained in the Debian repository.
On Thu, Jul 31, 2003 at 06:37:53PM +0100, Steve Kemp wrote:
> On Thu, Jul 31, 2003 at 12:55:28PM -0400, Joey Hess wrote:
> > I also think it would be a good idea for policy to require all
> > setuid/gid bit grants to go through this or another list for peer
> > review, much as pre-depends are supposed to.
> I was thinking of approaching that problem a different way.
> In the same way that apt-listchanges shows a packages changelog
> at install time, I could see a script 'apt-listsetuid' which would
> warn the admin at install time if any new setuid/setgid applications
> were being installed.
I use checksecurity for this; it runs from cron (daily by default) and
notifies me whenever there is a change in the list of setuid and setgid
programs on the system.