1 | <sect2>
|
---|
2 | <title>Command explanations</title>
|
---|
3 |
|
---|
4 | <para><screen><userinput>sed 's|@prefix@|/usr|' Makefile.in > Makefile.in~ mv Makefile.in~ Makefile.in :</userinput></screen>
|
---|
5 | Adjusts the Makefile so that traceroute will be installed in /usr/sbin
|
---|
6 | instead of /usr/local/sbin, which is where the default
|
---|
7 | installation puts it.</para>
|
---|
8 |
|
---|
9 | <para><userinput>make install: </userinput> Installs traceroute setuid root
|
---|
10 | in the /usr/sbin directory. This makes it possible for all users to execute
|
---|
11 | traceroute. For absolute security, turn off the setuid bit in traceroute's
|
---|
12 | file permissions with the command
|
---|
13 | <screen><userinput>chmod 0755 /usr/sbin/traceroute</userinput></screen></para>
|
---|
14 |
|
---|
15 | <para>The risk is that if a security problem such as a buffer overflow were
|
---|
16 | ever found in the traceroute code, a regular user on your system could gain
|
---|
17 | root access if the program is setuid root. Removing the setuid permission
|
---|
18 | of course also makes it impossible for users other than root to utilize
|
---|
19 | traceroute, so decide what's right for your individual situation.</para>
|
---|
20 |
|
---|
21 | <para>Now, to be completely FHS compliant, as is our aim, if you do leave the
|
---|
22 | traceroute binary setuid root, then you should move traceroute to /usr/bin
|
---|
23 | with the following command:
|
---|
24 | <screen><userinput>mv /usr/sbin/traceroute /usr/bin</userinput></screen></para>
|
---|
25 |
|
---|
26 | <para>This ensures that the binary is in the path for non-root users.</para>
|
---|
27 |
|
---|
28 | </sect2>
|
---|
29 |
|
---|