Remove setuid bits from 'su' and other setuid binaries

[celskeggs]

su: You should never need to gain root on a node. other binaries: let's maximally avoid privilege escalation. ping: maybe keep this one.

[achernya]

Scripts implements this with a cron job and whitelist for all setuid/setgid binaries. Scripts is a multi-tenant environment without container isolation, so it probably whitelists more things than Hyades should.

There's a similar check for filesystem capabilities: cron job, whitelist.

[andersk]

Scripts also has yum post-actions to preserve these changes on package upgrades. On Debian, you’d do this with dpkg-statoverride.

Or, you can mount the entire filesystem with the nosuid option, which neuters setuid, setgid, and fscaps globally. You can then whitelist individual binaries if needed by bind-mounting them onto themselves with the suid option (but really, you can probably just live without ping as non-root).