A few packages install suid programs by default. This allows normal users to change their password and have the change written to /etc/shadow. It can allow users to mount discs. GnuPG is suggested to be suid so keys can be decrypted in ram and not to disc swap where an attacker could recover it. In some cases there may be suid programs that you don't need to be suid. The following command will search the entire system for suid programs:

find / -perm -4000

The above command can take a long time if you have many files. This next command will only check your PATH. If your PATH is complete this command should be effective in finding all the suid programs:

find `echo $PATH | sed -e 's/:/ /g'` -perm -4000

It is up to you which programs you need to have suid. The following is only a suggestion. These programs can have the suid bit removed and most people won't miss it:

chmod -s /bin/{mount,umount}

Some people use these, some people don't:

chmod -s /usr/bin/{chfn,chsh,chage,newgrp,expiry}

If you do not use group passwords then disable gpasswd:

chmod -s /usr/bin/gpasswd

You should run the find(1) command periodically, especially after installing more packages. For example, an /etc/weekly cron script can put output from the find(1) command in /var/cache. The weekly script can then compare output from one week to the next, and notify you if there is a change.

If you used all of the suggestions above you should only have three remaining suid programs: /bin/su, /bin/ping, /bin/passwd, and with Glibc /usr/lib/glibc/pt_chown..

su should be restricted to only users authorized to use su. Using Unix permissions works very well for this. Add an suers group, change the group ownership of su to that group, and remove world permissions from su:

groupadd suers
chgrp suers /bin/su
chmod 4710 /bin/su

Now ls -l /bin/su should look like this:

 -rws--x---  1 root suers 31088 2004-12-18 02:19 /bin/su

Users authorized to use su must be added to the suers group.