= DerootificationStatus = The following programs/processes were already successfully "derooted", i. e. the process does not run as root any more, or got its suid root bit removed: * klogd ([[http://patches.ubuntu.com/patches/sysklogd.no-root.diff|patch]] sent to Debian [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=35325|BTS]]) * syslogd ([[http://patches.ubuntu.com/patches/sysklogd.no-root.diff|patch]] sent to Debian [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=35325|BTS]]) * cupsd ([[http://patches.ubuntu.com/patches/cupsys.min-privileges.diff|patch]] sent to Debian [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263796|BTS]]) * hald (accepted in Debian, accepted upstream) * ntpd ([[http://patches.ubuntu.com/patches/ntp.no-root.diff|patch]] sent to Debian [[http://bugs.debian.org/298059|BTS]]) * procmail ([[http://patches.ubuntu.com/patches/procmail.minprivs.diff|patch]] sent to Debian [[http://bugs.debian.org/298058|BTS]]) * smbmount/smbumount (trivial packaging change, not really appropriate for Debian) * jackd (Ubuntu patch effectively disables realtime feature by installing it non-suid) * login ([[http://patches.ubuntu.com/patches/shadow.login-nosuid.diff|patch]] sent to Debian [[http://bugs.debian.org/298060|BTS]], adopted in Debian) * gpg/gnupg ([[http://patches.ubuntu.com/patches/gnupg.capabilities.diff|patch]] sent to Debian [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=260803|BTS]]); completely non-suid in Ubuntu, kernel 2.6.8+ supports mlock() as user * hpoj ([[http://patches.ubuntu.com/patches/hpoj.deroot.diff|patch]] sent to Debian [[http://bugs.debian.org/298064|BTS]], accepted in Debian) * at ([[http://patches.ubuntu.com/patches/at.deroot.diff|patch]] sent to Debian [[http://bugs.debian.org/295816|BTS]], accepted in Debian) * dhcp3-server ([[http://patches.ubuntu.com/patches/dhcp3.deroot-server.diff|patch]] sent to Debian [[http://bugs.debian.org/308833|BTS]]) * unix_chkpwd ([[http://patches.ubuntu.com/patches/pam.unix_chkpwd-deroot.diff|pam]] and [[http://patches.ubuntu.com/patches/nis.unix_chkpwd-deroot.diff|nis]] patches sent to Debian [[http://bugs.debian.org/155583|BTS]]) * hplip (accepted in Debian) The following processes still appear to run with too many privileges by default and should be investigated: * udevd * power management daemons * X * arpwatch * vsftpd The following programs/processes were at one point "derooted" but now run as root: * dhcp3-client ([[http://patches.ubuntu.com/patches/dhcp3.deroot-client.diff|patch]] sent to Debian [[http://bugs.debian.org/308832|BTS]] )