elevated-privileges

This executable does not run with the identity of the user who executes it. It runs instead with its owner ID in the file system or with its group ID, or both.

This security-relevant setting is intentional for programs that regularly acquire elevated privileges, such as /bin/su, but can be a significant risk when it the setting is not intended.

Please override if needed.

The tag is present in Lintian version 2.114.163. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.114.0 release tag in our Git repository.

You can find the detection logic for this version at commit ea05801. For merge requests, please use the latest version in the Lintian check files/permissions.

Visibility: warning

Renamed from:

setuid-gid-binary
setgid-binary
setuid-binary

The following 95 source packages in the archive triggered the tag 171 times (in any Lintian version).

We found 5 overrides. The tag performed 97% of the time.

9mount

4755 root/root [usr/bin/9bind]
4755 root/root [usr/bin/9mount]
4755 root/root [usr/bin/9umount]

amanda

4750 root/backup [usr/lib/amanda/ambind]
4754 root/backup [usr/lib/amanda/application/amgtar]
4754 root/backup [usr/lib/amanda/application/amstar]
4754 root/backup [usr/lib/amanda/calcsize]
4754 root/backup [usr/lib/amanda/killpgrp]
4754 root/backup [usr/lib/amanda/rundump]
4754 root/backup [usr/lib/amanda/runtar]

apache2

4754 root/www-data [usr/lib/apache2/suexec-custom]
4754 root/www-data [usr/lib/apache2/suexec-pristine]

6755 daemon/daemon [usr/bin/at]

authbind

4755 root/root [usr/lib/authbind/helper]

chiark-utils

4754 root/root [usr/sbin/really]

cifs-utils

4755 root/root [sbin/mount.cifs]

clevis

4755 root/root [usr/libexec/clevis-luks-udisks2]

cryptmount

4755 root/root [usr/bin/cryptmount]

2755 root/mail [usr/sbin/dma]
4754 root/mail [usr/lib/dma/dma-mbox-create]

doas

4755 root/root [usr/bin/doas]

4755 root/root [usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd]
4755 root/root [usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys]
4755 root/root [usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_system]

ecryptfs-utils

4755 root/root [sbin/mount.ecryptfs_private]

exim4

4755 root/root [usr/sbin/exim4]
4755 root/root [usr/sbin/exim4]

firejail

4755 root/root [usr/bin/firejail]

fis-gtm

4500 root/root [usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-014_x86_64/gtmsecshrdir/gtmsecshr]
4500 root/root [usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-014_x86_64/utf8/gtmsecshrdir/gtmsecshr]
4755 root/root [usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-014_x86_64/gtmsecshr]
4755 root/root [usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-014_x86_64/utf8/gtmsecshr]

gtk3-nocsd

4644 root/root [usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0]

i810switch

4754 root/video [usr/bin/i810switch]

ifmail

4754 64000/news [usr/lib/ifmail/ifmail]

inetutils

4755 root/root [bin/ping]
4755 root/root [bin/ping6]
4755 root/root [usr/bin/inetutils-traceroute]

2755 root/news [usr/bin/inews]
2755 root/news [usr/bin/rnews]
4754 root/news [usr/sbin/inndstart]

inn2

4754 news/uucp [usr/lib/news/bin/rnews]
4754 root/news [usr/lib/news/bin/innbind]

jailkit

4755 root/root [usr/bin/jk_uchroot]
4755 root/root [usr/sbin/jk_chrootsh]

krb5

4755 root/root [usr/bin/ksu]

kwartz-client

4755 root/root [usr/bin/kwartzproxy]

liblockfile

2755 root/mail [usr/bin/dotlockfile]

liboping

4755 root/root [usr/bin/noping]
4755 root/root [usr/bin/oping]

libpam-ccreds

4755 root/root [sbin/ccreds_chkpwd]

libutempter

2755 root/utmp [usr/lib/x86_64-linux-gnu/utempter/utempter]

lockfile-progs

2755 root/mail [usr/bin/mail-lock]
2755 root/mail [usr/bin/mail-touchlock]
2755 root/mail [usr/bin/mail-unlock]

2755 root/lp [usr/sbin/lpc]
6755 root/lp [usr/bin/lpq]
6755 root/lp [usr/bin/lpr]
6755 root/lp [usr/bin/lprm]

- # false positive (lxc-user-nic)
4755 root/root [usr/libexec/lxc/lxc-user-nic]

mahimahi

4755 root/root [usr/bin/mm-delay]
4755 root/root [usr/bin/mm-link]
4755 root/root [usr/bin/mm-loss]
4755 root/root [usr/bin/mm-meter]
4755 root/root [usr/bin/mm-onoff]
4755 root/root [usr/bin/mm-webrecord]
4755 root/root [usr/bin/mm-webreplay]

maildrop

2755 root/mail [usr/bin/lockmail.maildrop]
2755 root/mail [usr/bin/maildrop]

mailutils

2755 root/root [usr/bin/dotlock.mailutils]

mandos

4755 root/root [usr/lib/x86_64-linux-gnu/mandos/plugins.d/askpass-fifo]
4755 root/root [usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client]
4755 root/root [usr/lib/x86_64-linux-gnu/mandos/plugins.d/plymouth]
4755 root/root [usr/lib/x86_64-linux-gnu/mandos/plugins.d/splashy]
4755 root/root [usr/lib/x86_64-linux-gnu/mandos/plugins.d/usplash]

masqmail

4755 root/root [usr/sbin/masqmail]

- # cons.saver has to be sgid tty to access vcsa
2755 root/tty [usr/lib/mc/cons.saver]

2755 root/mail [usr/bin/incm]

mew-beta

2755 root/mail [usr/bin/incm]

mutt

2755 root/mail [usr/bin/mutt_dotlock]

ndisc6

4755 root/root [bin/rdisc6]
4755 root/root [usr/bin/ndisc6]
4755 root/root [usr/bin/rltraceroute6]

netdata

4754 root/root [usr/lib/netdata/plugins.d/perf.plugin]

netkit-rsh

4755 root/root [usr/bin/netkit-rcp]
4755 root/root [usr/bin/netkit-rlogin]
4755 root/root [usr/bin/netkit-rsh]

nfs-utils

4755 root/root [sbin/mount.nfs]

nordugrid-arc

4755 root/root [usr/bin/arc-job-cgroup]

nullmailer

4755 mail/root [usr/bin/mailq]
4755 mail/root [usr/sbin/nullmailer-queue]

nvidia-modprobe

4755 root/root [usr/bin/nvidia-modprobe]

nwall

2555 root/tty [usr/bin/nwall]

opensmtpd

2755 root/mail [usr/libexec/opensmtpd/mail.local]

openssh

4755 root/root [usr/lib/openssh/ssh-keysign]

open-vm-tools

4755 root/root [usr/bin/vmware-user-suid-wrapper]

2755 root/shadow [sbin/unix_chkpwd]

pam-tmpdir

4755 root/root [sbin/pam-tmpdir-helper]

physlock

4755 root/root [usr/bin/physlock]

pidgin-blinklight

4755 root/root [usr/lib/pidgin-blinklight/blinklight-fixperm]

4754 root/dip [usr/sbin/pppd]

procmail

2755 root/mail [usr/bin/lockfile]
6755 root/mail [usr/bin/procmail]

putty

2755 root/utmp [usr/bin/pterm]

pwauth

4755 root/www-data [usr/sbin/pwauth]

rp-pppoe

4754 root/dip [usr/sbin/pppoe]

rsh-redone

4755 root/root [usr/bin/rsh-redone-rlogin]
4755 root/root [usr/bin/rsh-redone-rsh]

rush

4755 root/root [usr/sbin/rush]

sbox-dtc

4755 root/root [usr/lib/cgi-bin/sbox]

scamper

4755 root/root [usr/bin/scamper]

schroot

4755 root/root [usr/bin/schroot]

sendmail

2755 root/mail [usr/libexec/sendmail/mailstats]
2755 root/mail [usr/libexec/sendmail/sendmail]
4755 root/root [usr/sbin/sensible-mda]

shadow

2755 root/shadow [usr/bin/chage]
2755 root/shadow [usr/bin/expiry]
4755 root/root [usr/bin/chfn]
4755 root/root [usr/bin/chsh]
4755 root/root [usr/bin/gpasswd]
4755 root/root [usr/bin/newgidmap]
4755 root/root [usr/bin/newgrp]
4755 root/root [usr/bin/newuidmap]
4755 root/root [usr/bin/passwd]

singularity-container

4755 root/root [usr/lib/x86_64-linux-gnu/singularity/bin/starter-suid]

sleepd

4755 root/root [usr/bin/sleepctl]

smartlist

4755 root/list [var/list/.bin/choplist]
4755 root/list [var/list/.bin/flist]
4755 root/list [var/list/.bin/idhash]
4755 root/list [var/list/.bin/multigram]
4755 root/list [var/list/.bin/senddigest]

snapd

4755 root/root [usr/lib/snapd/snap-confine]

spice-gtk

4755 root/root [usr/libexec/spice-client-glib-usb-acl-helper]

splitvt

- # splitvt needs to have write access to the /var/run/utmp file in order to show which applications and users are running in each shell of the splitted window.
2755 root/utmp [usr/bin/splitvt]

ssmtp

2755 root/mail [usr/sbin/ssmtp]

sssd

4750 root/root [usr/libexec/sssd/krb5_child]
4750 root/root [usr/libexec/sssd/ldap_child]
4750 root/root [usr/libexec/sssd/selinux_child]

sudo

4755 root/root [usr/bin/sudo]
4755 root/root [usr/bin/sudo]

super

4755 root/root [usr/bin/super]

switchsh

4755 root/root [usr/bin/switchsh]

systemtap

4754 root/root [usr/bin/staprun]

tcptraceroute

4755 root/root [usr/bin/tcptraceroute.mt]

usermode

4755 root/root [usr/sbin/userhelper]

userv

4755 root/root [usr/bin/userv]

util-linux

2755 root/tty [usr/bin/wall]
2755 root/tty [usr/bin/write]
4755 root/root [bin/mount]
4755 root/root [bin/su]
4755 root/root [bin/umount]

uucp

4755 uucp/root [usr/bin/uucp]
4755 uucp/root [usr/bin/uustat]
4755 uucp/root [usr/bin/uux]
6755 uucp/dialout [usr/lib/uucp/uucico]
6755 uucp/uucp [usr/sbin/uuxqt]

uw-imap

2755 root/mail [usr/bin/mlock]

virtualbox

6755 root/root [usr/lib/virtualbox/VBoxHeadless]
6755 root/root [usr/lib/virtualbox/VBoxNetAdpCtl]
6755 root/root [usr/lib/virtualbox/VBoxNetDHCP]
6755 root/root [usr/lib/virtualbox/VBoxNetNAT]
6755 root/root [usr/lib/virtualbox/VBoxSDL]
6755 root/root [usr/lib/virtualbox/VirtualBoxVM]

vlock

4755 root/root [usr/sbin/vlock-main]

2755 root/video [usr/lib/w3m/w3mimgdisplay]

xawtv

4755 root/root [usr/bin/v4l-conf]

xemacs21

2755 root/mail [usr/lib/xemacs-21.4.24/x86_64-linux-gnu/movemail]

xiterm+thai

2755 root/utmp [usr/bin/xiterm+thai]

xorg-server

6755 root/root [usr/lib/xorg/Xorg.wrap]

xtrlock

2755 root/shadow [usr/bin/xtrlock]

xymon

4755 root/root [usr/lib/xymon/server/bin/xymonping]