This is not incorrect, but broad enough that I’d probably get more use out of the inverse of this list. For example, listing ‘cat’ as a program that when run with the suid bit set, will read privileged files is.. erm.. noise. ‘It runs with elevated privileges under sudo’ is also similarly applicable to basically everything.
And as a result, programs that give surprising shell access, like patch(1), which can invoke ed(1), which has the ability to filter text through the shell, may go unnoticed in this list, when they should be ringing alarm bells.
For that matter, this list doesn’t even include patch(1).
I think that’s a fair criticism, and a good point!
Haha yeah I saw “cobc runs in a privileged context” and immediately went to check if it was setuid on my system… turns out they just run it with sudo in the example.
Reminds me a bit about a talk about kernel hacking where their whole thing was to build a malicious kernel module.
If root loads your module, you have root access. Big surprise, you just reinvented the term “backdoor”.
All of this facilitated by ambient authority.