| 1 | <sect2>
|
|---|
| 2 | <title>Command explanations</title>
|
|---|
| 3 |
|
|---|
| 4 | <para><screen><userinput>sed 's|@prefix@|/usr|' Makefile.in > Makefile.in~ mv Makefile.in~ Makefile.in :</userinput></screen>
|
|---|
| 5 | Adjusts the Makefile so that traceroute will be installed in /usr/sbin
|
|---|
| 6 | instead of /usr/local/sbin, which is where the default
|
|---|
| 7 | installation puts it.</para>
|
|---|
| 8 |
|
|---|
| 9 | <para><userinput>make install: </userinput> Installs traceroute setuid root
|
|---|
| 10 | in the /usr/sbin directory. This makes it possible for all users to execute
|
|---|
| 11 | traceroute. For absolute security, turn off the setuid bit in traceroute's
|
|---|
| 12 | file permissions with the command
|
|---|
| 13 | <screen><userinput>chmod 0755 /usr/sbin/traceroute</userinput></screen></para>
|
|---|
| 14 |
|
|---|
| 15 | <para>The risk is that if a security problem such as a buffer overflow were
|
|---|
| 16 | ever found in the traceroute code, a regular user on your system could gain
|
|---|
| 17 | root access if the program is setuid root. Removing the setuid permission
|
|---|
| 18 | of course also makes it impossible for users other than root to utilize
|
|---|
| 19 | traceroute, so decide what's right for your individual situation.</para>
|
|---|
| 20 |
|
|---|
| 21 | <para>Now, to be completely FHS compliant, as is our aim, if you do leave the
|
|---|
| 22 | traceroute binary setuid root, then you should move traceroute to /usr/bin
|
|---|
| 23 | with the following command:
|
|---|
| 24 | <screen><userinput>mv /usr/sbin/traceroute /usr/bin</userinput></screen></para>
|
|---|
| 25 |
|
|---|
| 26 | <para>This ensures that the binary is in the path for non-root users.</para>
|
|---|
| 27 |
|
|---|
| 28 | </sect2>
|
|---|
| 29 |
|
|---|
