ϵͳÔÚ°²×°Ê±»á×Ô¶¯°²×°ÍƼö²¹¶¡°ü£¬µ«ÊÇËü²¢²»°üº¬ËùÓеݲȫ²¹¶¡¡£¶¨ÆÚ¼ì²é×îеIJ¹¶¡£¬
°²×°ÁË×îа²È«²¹¶¡µÄϵͳҪ±ÈûÓа²×°µÄϵͳ¿É¿¿µÄ¶à¡£
²¹¶¡Í¨³£Óбê×¼²¹¶¡£¨Standard patches£©¡¢ÍƼö²¹¶¡£¨Recommended patches£©¡¢°²È«²¹¶¡£¨
Security patches£©¡¢2000Äê²¹¶¡£¨Y2K patches£©£¬patch clustersÊÇÒÔÉϲ¹¶¡µÄ¼¯³É°ü¡£µ¥µã
²¹¶¡£¨Point patches£©ÊÇÕë¶ÔÌض¨ÎÊÌâµÄ²¹¶¡¡£
ͨ¹ýÏÂÁз½·¨£¬Á˽âÒÑÖªµÄ©¶´¼°ÏàÓ¦µÄ²¹¶¡³ÌÐò£º
1£® ¶©ÔÄÏà¹Ø×éÖ¯¼°¹«Ë¾(ÈçCERT/First¡¢SUN¡¢Bugtraq)µÄÓʼþÁÐ±í¡£
2£® ¶©ÔÄÓйØ©¶´¼°²¹¶¡µÄÓʼþÁÐ±í£¬ÈçSecurity Portal(Solaris Digest)¡¢
SecurityFocus(SunrµÄ²¿·Ö)»òÕßSANS¡£
3£® ¶¨ÆÚʹÓù¤¾ß£¬¼ì²é·þÎñÆ÷ÉÏ°²×°µÄ²¹¶¡ÊÇ·ñÓëSun·¢²¼µÄ×îв¹¶¡ÁбíÏàÒ»Ö¡£
4£® Ò»ÖÁÁ½Ô¼ì²éÒ»´ÎSunÍƼöµÄ²¹¶¡°ü£¬ÐèҪעÒâµÄÊÇ°²×°ÍƼö²¹¶¡°üʱ£¬Èç¹û¶ÔÄں˴ò²¹¶¡¿É
ÄܻᵼÖÂһЩӦÓõIJ»Õý³£¡£
5£® ijЩµÚÈý·½µÄÓ¦ÓõIJ¹¶¡Ò²ÐèÒª¼ÓÒÔ¹Ø×¢¡£
×¢£º°²×°²¹¶¡¿ÉÄÜ»á¸Ä¶¯YasspµÄÅäÖã¬Òò´ËÔÚ°²×°Íê²¹¶¡ÖØÆôϵͳºó£¬Òª×Ðϸ¼ì²éÊÇ·ñÆô¶¯Á˲»
ÐèÒªµÄ½ø³Ì¡£
Õë¶Ô²¹¶¡µÄ¹¤¾ß
* GetApplyPatchºÍCheckPatchesÊÇÁ½¸ö¹ÜÀíSolaris²¹¶¡µÄBshellµÄ½Å±¾¹¤¾ß¡£
1£®CheckPatchesʹÓÃshowrevÃüÁî²é¿´ÒѾ°²×°µÄ²¹¶¡£¬²¢ÓëSolarisµÄ²¹¶¡±¨¸æÏà±È½Ï£¬ÁгöÐè
Òª°²×°µÄÍƼö¼°°²È«²¹¶¡¡£²¹¶¡±¨¸æSolarisX.PatchReportͨ³£ÔÚµ±Ç°Ä¿Â¼Ï£¬Ò²¿ÉÒÔʹÓÃ-f²Î
Êýͨ¹ýFTPÏÂÔØ×îеIJ¹¶¡±¨¸æ
>./CheckPatches -f
2£®GetApplyPatch:ÓÃÀ´»ñµÃ²¢°²×°×îеIJ¹¶¡£¬Ê¹Óò¹¶¡ºÅÂë×÷ΪִÐнű¾Ê±µÄ²ÎÊý¡£ÔËÐÐʱ£¬
»áÌáʾÊÇ·ñÏÂÔØ£¬ÏÔʾ²¹¶¡µÄREADMEÎļþ£¬°²×°²¹¶¡ºó£¬É¾³ý°²×°Ä¿Â¼¡£Ê¹ÓÃ'-b'²ÎÊýÒÔ"batch
mode"ÔËÐУ¬Ôò²»×öÌáʾ¡£
>./GetApplyPatch 108875-07
CheckPatches.cronÊÇÒ»¸ö×Ô¶¯ÔËÐеĽű¾£¬²¢½«½á¹ûmail¸ø¹ÜÀíÔ±¡£
3£®Í¬Ê±Ê¹ÓÃÕâÁ½¸ö½Å±¾Îļþ£¬»ñµÃÐèÒªµÄ²¹¶¡²¢½øÐа²×°¡£
>./CheckPatches | ./GetApplyPatch
GetApplyPatch.cron¿ÉÒÔÓÃÀ´×Ô¶¯Ö´ÐУ¬È¡µÃ²¹¶¡²¢½øÐа²×°£¬µ«ÊǹؼüÈÎÎñµÄ·þÎñÆ÷Éϲ»ÍƼö
ʹÓÃËü¡£
4£®ÆäËüµÄÌص㣺
* ´øÓÐman°ïÖúÎļþ
* Ö§³ÖSolaris Intel¼°Sparc,ͨ¹ý²âÊÔ
* ¿ÉÒÔÉèÖÃftp´úÀí
* CheckPatches¿ÉÒÔºöÂÔÎÞÐè°²×°µÄ²¹¶¡¡£±ÈÈ磬ÔÚSolaris8 x86ϵͳÖУ¬ÔËÐÐCheckPatchesºó
£¬ÌáʾÐèÒªÏÂÃæµÄ²¹¶¡£º
109897-03 SunOS 5.8_x86: USB patch
109952-01 SunOS 5.8_x86: jserver buffer overflow
110417-02 SunOS 5.8_x86: ATOK12 patch
¶ÔÓÚÕâЩ²¹¶¡£¬ÎÒÃDz¢²»Ïë°²×°¡£´´½¨Solaris8_x86.PatchReport.Except£¬ÔÚÎļþÖмÓÈëÉÏÃæÈý
ÐУ¬ÔÚ´ÎÔËÐÐCheckPatches½Å±¾Ê±»á½«ËüÃǺöÂÔ¡£
* Ò²¿ÉÒÔ¶ÔCheckPatchesµÄÃüÁîÊä³ö×ö¹ýÂË£¬È磺
./CheckPatches | egrep -v "109897|109952|110417"
* SunsolveÌṩµÄPatchdiag¹¤¾ß£¬Óë×îеÄPatchdiag.xrefÒ»Æ𣬿ÉÒÔ¼ì²éϵͳȱÉÙÄÄЩ²¹¶¡£¬
È»ºóÏÂÔز¢°²×°ÕâЩ²¹¶¡¡£
* ʹÓÃSecurityFocusµÄvulnerability calculator¹¤¾ß£¬ÔËÐÐÏÂÃæµÄÃüÁî
(http://securityfocus.com/focus/sun/form.html)
>showrev -p |cut -f2 -d' ' | xargs
½«½á¹ûÕ³Ìùµ½´°àíÖУ¬È»ºóÑ¡Ôñ²Ù×÷ϵͳ¡£Ôڵóö½á¹ûµÄÖÐÑ¡ÔñÓë×Ô¼ºÖ÷»úÉϵÄÓ¦ÓÃÏà¹ØµÄÄÚÈÝ
½øÐÐÐÞ²¹¡£
* FastPatch¿ÉÒÔÓÃÀ´Ìæ´úpatchaddÃüÁËüµÄÖ´ÐÐËٶȸü¿ì¡£
* PatchreportÊÇÁíÍâÒ»¸öÓÃperlÓïÑÔ±àдµÄ·Ç³£È«ÃæµÄ²¹¶¡¼ì²é¹¤¾ß¡£
8¡¢RPC
ÔڹؼüÈÎÎñÖ÷»ú£¬±ÜÃâʹÓÃRPC·þÎñ¡£RPCʹÓö¯Ì¬·ÖÅäµÄ¶Ëàí¼°·Ç±ê×¼µÄ´æÈ¡¿ØÖÆ·½·¨¡£µ«ÊÇ£¬
È·ÓÐһЩӦÓÃÐèҪʹÓÃRPC£¬ÈçCDE¡¢Open Windows¡¢Disksuite¼°Legato Networker¡£
ÈçºÎÌá¸ßDisksuiteµÄ°²È«ÐÔ
DisksuiteÊÇϵͳÄÚÖõŤ¾ß£¬ÓÃÀ´×ö´ÅÅ̾µÏó¼°ÉèÖÃRAID¡£ËüÐèÒªRPCµÄÖ§³Ö£¨ÔÚinetdÖÐÔËÐеÄ
rpc.metamhdºÍrpc.metad£©¡£
1£® ¾¡Á¿²»ÔËÐÐDisksuite
* Ó²¼þRAIDµÄºÃ´¦ÔÚÓÚ²»ÐèÒªÌØÊâµÄÈí¼þÖ§³Ö¡£Õâ¶ÔÓÚ¶Ô°²È«ÐÔÒªÇó½Ï¸ßµÄϵͳʮ·ÖÓÐÀû¡£¶øÇÒ
µ±³öÏÖÎÊÌâʱ£¬Äã»á·¢ÏÖDisksuite²¢²»ÊÇÌ«ÈÝÒ×ʹÓõġ£
* ¶ÔÓÚÏóÊÇϵͳÅ̵ȣ¬Êý¾Ý²¢²»»áƵ·±±ä¶¯µÄϵͳÅÌ£¬×÷¾µÏñ£¨cold mirroring£©¾Í×ã¹»ÁË,ʹÓÃ
½Å±¾mirror_boot.sh¿ÉÒÔÍê³É´ËÏ×÷¡£
2£® ÔËÐÐDisksuite£¬µ«ÊÇÍ£Ö¹RPC·þÎñ¡£Í£Ö¹inetd.confÖеÄ'metad'·þÎñ»áÒýÆðÒÔϽá¹û£º
* 'metatool'½«²»»á¹¤×÷£¬µ«ÊÇÃüÁîÐй¤¾ß»¹¿ÉÒÔÔËÐС£ÎªÁËÓ¦¸¶ÏµÍ³Å̵ÄÔÖÄÑÐÔ´íÎó£¬×îºÃÁË
½âÕâЩÃüÁîÐй¤¾ß¡£
* Disksets-ϵͳ¼ä¹²ÏíµÄmetadevices½«²»ÄÜʹÓá£
3£® Èç¹ûʹÓÃDisksuiteºÍRPC£¬Ê¹ÓÃWietse VenemaµÄRPCBIND¡£
* Solaris8ϵͳ×Ô´øµÄSunscreen EFS Lite Firewall¿ÉÒÔÓÃÀ´¶Ôrpc·þÎñµÄ´æÈ¡½øÐÐÏÞÖÆ¡£
* IPfilterÒ²¿ÉÒÔÓÃÀ´×öÏÞÖÆRPC·þÎñ·ÃÎʵı¾µØ·À»ðǽ¡£
* IPfilter¿ÉÒÔÔÚ8ÒÔÇ°µÄÀÏ°æ±¾µÄSolarisÉÏÔËÐУ¬²¢ÇÒÊÇÃâ·ÑµÄ¡£
* It's doesn't have an RPC state based engine though(so it can't filter on RPC
program names or allow RPC to specific destinations)¡£
* But it can be used to allow all localhost RPC traffic(enough for some RPC
applications such as Disksuite or CDE)and deny all remote traffice except,say,HTTP or
whatever service is provided to remote hosts¡£
* ʹÓÃWietse VenemaµÄrpcbind(°üº¬ÔÚYasspµÄtarballÀï)£¬¿ÉÒÔÌṩÀàËÆtcp wrapperµÄ·ÃÎÊ¿Ø
ÖƺÍÈÕÖ¾¼Ç¼¡£RpcbindÊÇÒ»ÖÖ¡°Ä¿Â¼¡±·þÎñÓÃÀ´¶¨Î»Ä³Ò»ÖÖ·þÎñ£¨Í¨¹ýRPCÃû»òÕßRPCºÅ£©¡£ÒòΪ
Ëü²¢²»ÊÇÁ¬½Ó·þÎñµÄÖн飬Òò´ËËü²¢²»ÄÜÕæÕýΪRPC³ÌÐòÌṩ·ÃÎÊ¿ØÖÆ¡£ÓöËàíɨÃèÆ÷¿ÉÒÔ¼ì²â¼¤
»îµÄRPC·þÎñ£¬³ý·ÇÄں˱»¶¨ÖƳɹýÂËÕâЩÁ¬½Ó£¬·ñÔò²¢²»ÄÜ·ÀÖ¹¶Ô·þÎñµÄ·ÃÎÊ¡£
9¡¢ÈÕÖ¾¡¢Cron¡¢Ðí¿É
ÅäÖÃÈÕÖ¾¼°pruning:
* SyslogÈÕÖ¾£ºYasspʹÓÃÐ޸ĹýµÄ/etc/syslog.confÅäÖ㬿ªÆôÁ˸ü¶àµÄÈÕÖ¾¼Ç¼±£´æÔÚ
/var/adm/messagesÖС£Í¬Ê±Ò²°²×°ÁËÒ»¸ö¿ÉÑ¡µÄ/etc/syslog.conf.server£¬ÊÇΪloghostsÉè¼Æ
µÄ²¢½«²»Í¬µÄ·þÎñ´æÔÚ·Ö¿ªµÄlogÎļþÖС£
* Yassp¹Ø±ÕÁËrootÕʺÅcronÖÐÓйØlogµÄÌõÄ¿¡£Ìí¼ÓÁËÔËÐÐ'daily'½Å±¾¡£
ÅäÖÃSyslog
Syslog¿Í»§¶Ë£ºÔÚ/etc/hostsÎļþÖÐÖ¸¶¨log·þÎñÆ÷¡£
* ²âÊÔlog·þÎñÆ÷ÊÇ·ñÕý³£
logger -p auth.warn "test of syslog"£¬¼ì²éÊÇ·ñ¼Ç¼ÔÚlog·þÎñÆ÷Àï¡£
* ÔÚlog·þÎñÆ÷¼°±¾µØͬʱ¼Ç¼ÈÕÖ¾£¬È¡Ïû/etc/syslog.confÖеÄÏÂÒ»ÐÐ×¢ÊÍ£º
*.err;auth.info;kern.debug /var/adm/messages
* Èç¹ûÈÕÖ¾¼Ç¼²»ÄÜÕý³£¹¤×÷£¬¿ÉÒÔ²ÎÕÕsyslog.confÖеÄÀý×Ó¼°Ìáʾ¡£
Syslog·þÎñÆ÷£¨loghost£©£º
* log·þÎñÆ÷ÐèÒªÒ»¿é´óµÄ´ÅÅÌÓÃÀ´±£´æÈÕÖ¾Îļþ¡£
* ÔÚSolaris8ϵͳÖУ¬Yassp½«ÒÔ"-t"²ÎÊýÆô¶¯syslog£¬Òò´ËËü½«²»½ÓÊÜÆäËüÖ÷»úµÄ¼Ç¼ÈÕÖ¾µÄÇë
Çó¡£Èç¹ûÏëÒªÉèÖü¯ÖеÄlog·þÎñÆ÷£¬ÐèÒªÔÚ/etc/yassp.confÖÐÉèÖÃSYSLOGFLAGS=""¡£
* Yassp»¹°²×°ÁËÒ»¸ö/etc/syslog.conf.serverÅäÖÃÎļþ£¬ÊÇÕë¶Ôlog·þÎñÆ÷²¢½«²»Í¬µÄ·þÎñ²úÉú
µÄÈÕÖ¾´æÓÚ/var/logĿ¼Ï²»Í¬µÄÎļþÖС£ÓÃËü¸²¸ÇÅäÖÃÎļþ²¢ÖØÐÂÆô¶¯syslog:
mv /etc/syslog.conf /etc/syslog.conf.client
cp /etc/syslog.conf.server /etc/syslog.conf
kill -l `cat /etc/syslog.pid`
* ʹÓÃrotate_log¹¤¾ß¶ÔÈÕÖ¾½øÐйÜÀíºÍѹËõ£¬ÔÚrootµÄcronÖмÓÈ룺
##Prune syslog logs weekly,keeping the last 6 months or so:
55 23 * * 6 /secure/rotate_log -n 40 alertlog
55 23 * * 6 /secure/rotate_log -n 40 authlog
55 23 * * 6 /secure/rotate_log -n 40 cronlog
55 23 * * 6 /secure/rotate_log -n 40 daemonlog
55 23 * * 6 /secure/rotate_log -n 40 kernlog
55 23 * * 6 /secure/rotate_log -n 40 local0log
55 23 * * 6 /secure/rotate_log -n 40 local2log
55 23 * * 6 /secure/rotate_log -n 40 local5log
55 23 * * 6 /secure/rotate_log -n 40 newslog
55 23 * * 6 /secure/rotate_log -n 40 userlog
55 23 * * 6 /secure/rotate_log -n 40 lprlog
55 23 * * 6 /secure/rotate_log -n 40 maillogd
ÔÚrootµÄcronÖмÓÈëÿÄêÇåÀíÈÕÖ¾ÎļþµÄÌõÄ¿
##Empty login/logout records at year end
0 0 31 12 * /secure/wtrim.pl wtmp 20
0 0 31 12 * /secure/wtrim.pl wtmpx 20
#
#Solaris 2.x logs
0 4 * * 6 /secure/totate_log -L /var/adm -n 30 loginlog
0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 sulog
0 4 * * 6 /secure/rotate_log -L /var/adm -n 2 vold.log
0 4 * * 6 /secure/rotate_cron
ÆäËüµÄÐèÒªÔÚrootµÄcronÉèÖÃÌõÄ¿£º
ÿÌìÓë¿É¿¿µÄʱ¼äÔ´½øÐÐʱ¼äͬ²½£¬Ê¹ÓÃrdate£¨NTP»á¸ü¼Ó¾«È·£¬µ«»á´øÀ´ÏàÓ¦µÄ·çÏÕ£©
##Synchronise the time:
0 * * * * /usr/bin/rdate YOURTIMEHOST >/dev/null 2>&1
°²×°¼ì²éÖØÒª½ø³ÌÊÇ·ñÔËÐеĽű¾£¬monitor_processes.pl²¢ÔÚrootµÄcronÖмÓÈ룺
##Check that important processes are running during office hours:
##[If you run 7x24,modify accordingly]
0,30 8-19 * *1-5 /secure/monitor_processes.pl sshd httpd
ÿ´Î°²×°ÐµijÌÐòºó£¬×îºÃÔÚÎļþÖмǼÏÂÀ´£¬È磺
cat >/etc/mods<
EOF
10¡¢ÏÞÖÆSUIDÎļþ
ÉèÖÃSUIDλµÄÎļþ£¬ÔÊÐíÓû§ÒÔÎļþËùÓÐÕßµÄȨÏÞÖ´Ðд˳ÌÐò¡£³£ÓÃÀ´ÈÃÆÕͨÓû§Ö´ÐÐÖ»ÓÐroot
ÄÜÔËÐеijÌÐò£¬µ«ÊÇ´æÔÚ»º´æÒç³öµÄ·çÏÕ¡£
* SolarisÓкܶࡰSUID root¡±µÄÖ´ÐгÌÐò£¬Ã¿Ò»¸ö¶¼»á´øÀ´·çÏÕ£¬Òò´Ë¾¡¿ÉÄܶàµÄÍ£Ö¹SUID³Ì
Ðò¡£
* ÔĶÁSUIDµÄ²Î¿¼Îļþ
·¢ÏÖϵͳÖеÄSUIDÎļþ
ʹÓÃfindÃüÁ
find / -perm -u+s -ls
find / -perm -g+s -ls ²éÕÒGUID³ÌÐò
ÈçºÎ´¦ÀíSUIDÎļþ£º
* Ö±½Óɾ³ý
* ¹Ø±Õ³ÌÐò(chmod 000 FILENAME)
* ÒÆÈ¥SUIDλ(chmod ug-s FILENAME)
* ¶ÔÎļþ»ØÒÔ×éÏÞÖÆ(Ê×ÏÈÒÆÈ¥ËùÓÐÈ˵ÄȨÏÞ chmod o-rwx)£¬ÔÊÐí×é·ÃÎÊ(chgrp MYGROUP
MYFILE)¡£
ÄÄЩSUIDÎļþÐèÒª»ØÒÔÏÞÖÆ
* ÔÚһЩ¾ßÓÐÓû§ÕʺŵÄÃô¸Ð·þÎñÆ÷ÉÏ»òÕ߹ؼüµÄ½ø³ÌÓÉ·ÇrootÓû§ÔËÐУ¬Ó¦¾¡¿ÉÄܵؼõÉÙSUID
Îļþ¡£
* ¶ÔÓÚ¿É¿¿ÐÔÒªÇó·Ç³£¸ßµÄϵͳ£¬½¨Òé³ý"pt_chmod","utmp_update"ºÍ"su"ÒÔÍ⣬ÆäÓàÈ«Í£¡£
* Reg Quinton½âÊÍÁËÿһ¸öSolarisSUID³ÌÐò£¬²¢¸ø³öÅäÖý¨Òé¡£
* Àý×Ó£º
* ÏóuucpÕâÑùµÄ¹¤¾ß£¬»ù±¾ÎÞÓ㬿ÉÒÔɾ³ý
pkgrm SUNWbnuu
chmod ug-s /usr/bin/cu /usr/bin/uu* /usr/lib/uucp/*
* ÁíÒ»¸öûÓÐÓô¦µÄ¹¤¾ß°üÊÇkcms(Kodak Color Management System)
pkgrm SUNWkcspf SUNWcspx SUNWkcspg SUNWkcsrt
chmod ug-s /usr/openwin/bin/kcms*
* Èç¹û²»Ê¹ÓôòÓ¡»ú
chmod ug-s /usr/lib/lp/bin/netpr /usr/sbin/lpmove /usr/bin/lp /usr/bin/lpset
/usr/bin/lpstat /usr/bin/cancel /etc/lp/alerts/printer
* Ö»ÔÊÐírootʹÓÃrÃüÁî
chmod ug-s /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh
* Ö»ÔÊÐíroot¶ÔÍøÂç½øÐÐÕìÌý¼°Áгö½ø³ÌÁбí
chmod ug-s /usr/sbin/snoop /usr/sbin/devinfo /bin/rdist /usr/bin/netstat
/usr/local/bin/top /usr/sbin/traceroute /usr/local/bin/lsof /usr/bin/*/ps
/usr/ucb/*/ps /usr/sbin/*/whodo /usr/bin/*/uptime /usr/bin/*/w
* Ö»ÔÊÐíroot×ö±¸·ÝºÍ»Ö¸´
chmod ug-s /usr/lib/fs/ufs/ufsdump /ufs/ib/fs/ufs/ufsrestore
* ¼ÙÉ費ʹÓÃYP¡¢NIS+
chmod ug-s /usr/bin/chkey
* Ö»ÔÊÐírootʹÓÃcronºÍat
chmod ug-s /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/crontab
* Ö»ÔÊÐíroot¹ÜÀíϵͳ
chmod ug-s /usr/bin/admintool /usr/lib/fs/ufs/quota /usr/bin/tip /usr/bin/fdformat
/usr/bin/eject /usr/bin/volcheck /usr/bin/volrmmount /usr/bin/rmformat
* ²»Ê¹ÓÃOpenwindowsºÍCDE
chmod ug-s /usr/dt/bin/* /usr/openwin/*/*
* Sendmail:²»×öemail·þÎñÆ÷µÄÖ÷»ú²»ÐèÒªsendmailÉèÖÃSUIDλ
chmod u-s /usr/lib/sendmail
* ½øÐÐÒÔÉϵIJÙ×÷ºó£¬ÒÔ¡°×îÖÕÓû§¡±Ä£Ê½°²×°µÄSolaris8ϵͳÖУ¬SUIDÎļþÁбíÈçÏ£º
usr/lib/pt_chmod /usr/lib/utmp_update /usr/bin/login /usr/bin/newgrp /usr/bin/newtask
/usr/bin/pfexec /usr/bin/su /usr/bin/passwd /usr/sbin/allocate /usr/sbin/mkdevalloc
/usr/sbin/mkdevmaps /usr/sbin/ping /usr/sbin/sacadm /usr/sbin/deallocate
/usr/sbin/list_devices /usr/sbin/pmconfig /opt/local/bin/ssh /usr/bin/yppasswd
/usr/bin/nispasswd are also SUID, but they are links to /usr/bin/passwd.
* ÔÚpackageÊý¾Ý¿âÖÐÈÔÈ»±£ÁôÓÐÄ©±»¸Ä±äµÄSUIDÎļþ
find / -perm -u+s -exec pkgchk -l -p {} \; |more
* ÁгöËùÓеÄSUIDÎļþ¼°ÊôÓÚÄÄÒ»¸ö°ü
find / -perm -u+s -exec pkgchk -l -p {} \; | more