On Thu, Jul 31, 2003 at 06:37:53PM +0100, Steve Kemp wrote: > On Thu, Jul 31, 2003 at 12:55:28PM -0400, Joey Hess wrote: > > I also think it would be a good idea for policy to require all > > setuid/gid bit grants to go through this or another list for peer > > review, much as pre-depends are supposed to. > > I was thinking of approaching that problem a different way. > > In the same way that apt-listchanges shows a packages changelog > at install time, I could see a script 'apt-listsetuid' which would > warn the admin at install time if any new setuid/setgid applications > were being installed.
I use checksecurity for this; it runs from cron (daily by default) and notifies me whenever there is a change in the list of setuid and setgid programs on the system. -- - mdz
