# usefull diagnostic commands, but not as suid/sgid
UN-SUID	root:operator	/bin/df	SUID
UN-SUID	root:kmem	/bin/ps	SUID
UN-SUID	root:kmem	/usr/bin/fstat	SUID
UN-SUID	root:kmem	/usr/bin/modstat	SUID
UN-SUID	root:kmem	/usr/bin/netstat	SUID
UN-SUID	root:kmem	/usr/bin/systat	SUID
UN-SUID	root:kmem	/usr/bin/uptime	SUID
UN-SUID	root:kmem	/usr/bin/vmstat	SUID
UN-SUID	root:kmem	/usr/bin/w	SUID
UN-SUID	root:kmem	/usr/sbin/pstat	SUID
UN-SGID	root:bin	/sbin/ping	SGID
UN-SGID	root:bin	/sbin/ping6	SGID
UN-SGID	root:operator	/sbin/shutdown	SGID
UN-SGID	root:bin	/usr/bin/crontab	SGID
UN-SGID	root:bin	/usr/bin/quota	SGID
UN-SGID	root:bin	/usr/sbin/timedc	SGID
UN-SGID	root:bin	/usr/sbin/traceroute	SGID
UN-SGID	root:bin	/usr/sbin/traceroute6	SGID
UN-SUID	root:kmem	/sbin/ccdconfig	SUID

# have never used these on a firewall
REMOVE	root:auth	/usr/bin/lock	SUID
REMOVE	root:tty	/usr/bin/wall	SUID
REMOVE	root:tty	/usr/bin/write	SUID
#REMOVE	root:daemon	/usr/sbin/lpc	SUID
REMOVE	root:kmem	/usr/sbin/trsp	SUID
REMOVE	root:kmem	/usr/sbin/trpt	SUID
REMOVE	root:wheel	/var/audit	SUID
REMOVE	root:bin	/bin/rcp	SGID
REMOVE	root:bin	/usr/bin/chfn	SGID
REMOVE	root:bin	/usr/bin/chpass	SGID
REMOVE	root:bin	/usr/bin/chsh	SGID
REMOVE	root:bin	/usr/bin/batch	SGID
REMOVE	root:bin	/usr/bin/at	SGID
REMOVE	root:bin	/usr/bin/atq	SGID
REMOVE	root:bin	/usr/bin/atrm	SGID
#REMOVE	root.daemon	/usr/bin/lpq	SUID	SGID
#REMOVE	root:daemon	/usr/bin/lpr	SUID	SGID
#REMOVE	root:daemon	/usr/bin/lprm	SUID	SGID
REMOVE	root:bin	/usr/bin/rlogin	SGID
REMOVE	root:bin	/usr/bin/rsh	SGID
REMOVE	root:bin	/usr/sbin/sliplogin	SGID

# don't touch these
NONE	root:auth	/usr/bin/skeyinfo	SUID
#NONE	root:smmsp	/usr/libexec/sendmail/sendmail	SUID
NONE	root:bin	/usr/bin/login	SGID
NONE	root:bin	/usr/bin/passwd	SGID
NONE	root:bin	/usr/bin/skeyaudit	SGID
NONE	root:bin	/usr/bin/skeyinit	SGID
NONE	root:bin	/usr/bin/slogin	SGID
NONE	root:bin	/usr/bin/ssh	SGID
NONE	root:bin	/usr/bin/su	SGID
NONE	root:bin	/usr/bin/sudo	SGID
NONE	root:bin	/usr/libexec/lockspool	SGID
NONE	root:auth	/usr/libexec/auth/login_activ	SGID
NONE	root:auth	/usr/libexec/auth/login_chpass	SGID
NONE	root:auth	/usr/libexec/auth/login_crypto	SGID
NONE	root:auth	/usr/libexec/auth/login_krb4	SGID
NONE	root:auth	/usr/libexec/auth/login_krb4-or-pwd	SGID
NONE	root:auth	/usr/libexec/auth/login_krb5	SGID
NONE	root:auth	/usr/libexec/auth/login_krb5-or-pwd	SGID
NONE	root:auth	/usr/libexec/auth/login_lchpass	SGID
NONE	root:auth	/usr/libexec/auth/login_passwd	SGID
NONE	root:auth	/usr/libexec/auth/login_radius	SGID
NONE	root:auth	/usr/libexec/auth/login_reject	SGID
NONE	root:auth	/usr/libexec/auth/login_skey	SGID
NONE	root:auth	/usr/libexec/auth/login_snk	SGID
NONE	root:auth	/usr/libexec/auth/login_token	SGID
#NONE	root:network	/usr/sbin/ppp	SGID
#NONE	root:dialer	/usr/sbin/pppd	SGID