Status

• 2010-04-22: RHEL6 beta is released - let's start

  • docs: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/

• 2010-05-06: working kickstart yielding a system with afs, root login via ssh key, user login via gssapi
  • still requires a hostname.part file in the profiles directory
• 2010-05-07: after kickstart, system is ready to run features
• 2010-05-24: after installation, the sue mechanism is active
• 2010-08-19: beta 2 refresh is operational
• 2010-10-08:
  • kickstart installation works according to the SL operations manual, at least for the test systems
  • yields a system with afs, root login via ssh key or gssapi, user login via gssapi, sue/yumsel fully operational, and the most important features working
• 2010-10-11: there are working VAMOS defaults for generic desktops (sl6-desktop-nogroup-def) and generic workgroup servers (sl6-wgs-def)
• 2010-10-29:
  • software selection is substantially complete
  • the truetype core fonts are now installed
• 2010-11-02: installations preserving filesystems should now work
• 2010-11-25: work completed since RHEL6 GA release
  • we can install and maintain a true RHEL6 system just as well as SL6
  • systems install current updates for their class in the first place
  • preserving filesystems should work now
• 2010-11-27: reasonable default setup for xterm, including "our" default font (works fine with UTF-8)
• 2010-12-08:
  • we can install and maintain SL6 alpha1 systems (CF_SL_release=6rolling)
    • SELinux is disabled after installation. To enable: touch /etc/.autorelabel, modify /etc/sysconfig/selinux, and reboot
  • presentation in technical seminar scheduled for 2011-01-25
• 2010-12-22:
  • the default tree is now 6rolling (currently alpha3), SELinux is ok now
  • openafs packaging is close to final and should show up in 6rolling/testing soon
• 2010-12-27: virtualization works (SL6 as both host and vm, and both in combination with SL5)

Completed

• Features: xntp, sue, hosts, netgroup, ssh, tcp_wrapper, passwd, group, nsswitch, klogin, aaru, syslog, linux, security, passwd_prog (verified passwd works), kerberos (including a heimdal rebuild), name_srv (client only), motd, pam, tidy_up, afs_client, kernel, gdm
• teach CKS.pl to "upgrade" ext3 to ext4 by default, and add an option to prevent it
• read host.ks in %pre, and cut out the partitioning - or teach CKS.pl to only write host.part for SL6
• remapgroups (may want to check a full install later, though)
• nvidia driver packages (for recent cards only). install, reboot, works
  • kabi-tracking kmods. non-whitelisted symbols are being used, but on SL6 we have dependencies for the whole ABI, hence we can check.
• preliminary, but usable openafs packages, also using kabi-tracking kmods
  • of course, using lots of non-whitelisted symbols
  • adding (part of) the kernel release to the kmod release makes it possible to coinstall kmods for different kernels (and KU.pl will do it if required)
• usrlocal

  • major removal of old cruft

  • no more links into shared filesystems in /usr/local/bin and /usr/local/lib

  • now split into usrlocal (user stuff, interactive systems only) and usrlocal-base (essential things also on servers)
• profiles (unmodified)
• virtualization
  • SL6 as Xen guest on SL5 host
  • SL6 as KVM guest on SL6 host
  • SL5 as guest on SL6 KVM
• configure and turn on the local firewall!

Next Steps

• continue adapting features - priority:
  1. nagios (work in progress)
  2. automount
  3. later: arcx, cfengine, conmgr, cups, ganglia, ldap, products, scout, sudo, vamos
     • probably drop?: atlas, inetd, kvm, trusted, ypclient
• add-on software
• CUDA/OpenCL
  • the kernel drivers are identical with the nvidia graphics driver, but the userland is different
• VMs on Desktops?
  • now possible even if the nvidia driver installed
  • support a Windows 7 VM on Linux Desktops?
• VDI, SPICE
  • virtual desktops hosted in the CC
  • enhanced access to those and local VMs via SPICE

Loose Ends

• disable user switching (there's a lockdown gconf setting for this)
• guest account:
  • zsh wants a .zshrc - we should probably copy the stuff from /etc/skel
  • and it's hard to choose the session type and seems impossible to have the choice stored (do we care?)
• mail (postfix) works, but is completely unconfigured
• for the time being, we symlink to the SL5 /opt/products/perl because lots of scripts won't work without it
  • alas, this has never existed as a 64bit build, hence we are forced to install glibc.i686
• users receive update notifications (probably: gpk-update-icon) - this should be disabled because they can't always install them
• nvidia driver:
  • access to /dev/nvidia* is not yet allowed for console users
    • modifiy /etc/security/console.perms in nvidia-x11-drv.rpm?

    • doesn't work - rebased rpms to the elrepo ones for el6, and now permissions are 0666 (makes dri work, and is no big deal if we stop turning PCs into WGSs...)

  • may need different "generations" of nvidia-x11-drv and the associated kmod, for older cards

    • the current 260.19.12 works on nv295 (T3500), nv290 (T3400), nv285 (390, 380 = satyr > 60)

    • to check: nv280 (370) - these are 21 PCs, 6 of which were off when checked 2010-11-02, age >= 4.5 years

      • according to nvidia lists, it is not supported by the current driver

      • notice: satyr80 (380) has an nv280 fitted and generally looks strange (CPU,...) - probably special setup for *CAD then returned in exchange for a new model and the CAD video card replaced with one from a retired early satyr... Bastelkram, immer wieder toll...

• "interactive.ys" should be split into productivity/development/rest
• init scripts installed by cfengine have the wrong security label
  • seems to cause no harm so far, but fixing this is probably a good idea
  • we probably want unconfined_exec_t instead of initrc_exec_t for our stuff anyway

  • => use semanage fcontext

• failure messages during boot:
  • ntpdate
• turn off undesired services
  • do we want acpid?
    • required on KVM VMs
  • cgroups need a daemon? oh no...
• the ai web server really needs the policy change to allow it AFS access without a delay
• more s-bits to remove? (check candidate list below)

Fixed Ends

• mkconf uses vamos-web because it checks for /opt/products/perl/5.8.8 and doesn't know that we have a working client using /usr/bin/perl
• syslog: slightly different format on the loghost, may defeat logsurfer? (fixed: see "Logging" below"

• our profiles assume that resize is available (fixed: only used if available)

  • that's from the xterm package, which is obviously optional
  • why is this executed for root's bash anyway?
  • and why does it look as though it's not executed for a user's zsh?

• our profiles assume that ifhnews and tklife are available (fixed: only used if available)

  • which is not the case on servers, nor are they a necessity there
• turn off undesired services
  • hald is still required
  • do we want sssd? - no
  • get rid of pcscd (2010-11-25: done in SL_no_sc_daemons, along with openct)
• get rid of nslcd when using flat files for nsswitch (and that's the only case foreseen) - done 2010-11-26 (nsswitch feature)
  • make sure ldapsearch actually works without (done)
• tt core fonts should only be installed on PCs/WGS (and cabextract is needed only there) - done 2010-11-25
• SLU.pl doesn't work yet (needs vamos_cmd - is fixed 2010-10-29, now that we have vamos_cmd)
  • for the time being, simply use SL6U.pl instead
• sue.run-tidy failure message during boot (fixed - kinit moved from /usr/kerberos/bin to /usr/bin...)

• PolicyKit: no way to avoid installation on interactive systems, probably not even WGS

  • need to override some defaults from /var/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla (done in SLZ_desktop_policy.rpm)
    • in particular, we probably want to disallow hibernate and suspend...

      [No Suspend or Hibernate]
      Identity=*
      Action=org.freedesktop.devicekit.power.hibernate;org.freedesktop.devicekit.power.suspend
      ResultAny=no
      ResultInactive=no
      ResultActive=no

• make sure NetworkManager won't run - needs trigger! - done in !SL_no_NetworkManager.rpm 20101008)

Missing/Broken Software

• EPEL
  • gv: segfaults when closed
  • ddd: requires lesstiff
• flash plugin (64-bit "square" preview): beta status

• nvu is dead. Drop? Replace with Kompozer? (http://www.kompozer.net/)

• freemind should probably be replaced with vym (coming with the distro). Is this used at all?
• maple
• mathematica
• intel compiler
• MKL
• pgi compiler
• CUDA/OpenCL (GPGPU systems, and desktops with an appropriate graphics card - for developemnt)
• oracle client
• ROOT
• cernlib?
• CLHEP?
• GEANT4?
• Lustre Client -- 1.8.4 and 1.8 branch in git don't build yet, but a later version hopefully will

  • nope, 1.8.5 won't build either

Added/Fixed Software

• Adobe reader complains about missing theme and looks strange -required gtk2-engines.i686

Open Questions

• restorecond is no longer running by default - do we want it?
• disable IPv6? (well, this seems to cause problems with postfix and other stuff - at least it is logged that they try to have the module inserted)
• RHEL6 does not ship an X font server (xfs) - do we still have to provide this service?

* allow strigi? (does it work with AFS?)

• this is required by KDE...

Settled Questions

• allowing passwordless local login with pam_succeed_if.so in /etc/pam.d/gdm no longer works
  • this just moved into /etc/pam.d/gdm-password
• X works without any configuration
  • still true with non-US keyboards?
    • no problem, need not mention keyboard in xorg.conf. User can simply choose the layout in gdm (persistent!) and GNOME.
  • probably no longer true when the proprietary nvidia driver has to be used
    • no problem, the xorg.conf only has to contain one trivial section:

      Section "Device"
              Identifier  "Device0"
              Driver      "nvidia"
              VendorName  "NVIDIA Corporation"
      EndSection

    • also required for nvidia driver: boot with kernel parameters rdblacklist=nouveau nomodeset, disable nouveau in modprobe.d:

      blacklist nouveau
      options nouveau modeset=0

• in any case: do we really have to support non-US keyboards?

  • there are 3 Linux PCs with german keyboard - two in the computing centre, and one with a user not even speaking german...

  • even if we do, probably doesn't warrant automation

  • sequence to test: DISPLAY= system-config-keyboard --noui {de-latin1-nodeadkeys|us} ; system-setup-keyboard

    • caution: this messes up /etc/X11/xorg.conf

  • => do not fiddle with keyboard at all, gdm/gnome settings are good enough

Changes w.r.t. SL5

Changes in Local Configuration

• most of the kickstart profile is now static (SL6.ks), and the rest created during %pre
  • only the partitioning info is gathered from the .ks file in the profiles directory
• sue_daily is now run by anacron from /etc/cron.daily
• yum is configured to only install signed packages
• we generally install the proprietary nvidia driver
  • needs some work for older PCs (legacy drivers)

• local desktop users can install packages with PackageKit

  • default yum.conf is tailored for this case now - use yum -c /etc/yum.conf.all manually

  • excludes list in yum.conf.user is substantially complete
• there is only a very minimal xorg.conf - we rely on the automatic settings as much as possible
• we do not configure the keyboard - users with german keyboards can do it on the login screen and in GNOME

• we do not install KDE by default - users can add it on their PC with PackageKit

  • alas, this requires whitelisting stuff we possibly don't want installed (in particular, strigi)
• the default locale is en_US.UTF-8 (the RHEL default)
  • we set LC_PAPER to de_DE.UTF-8 so locale aware software will use A4 by default
• we install the real ksh, not a link to zsh

Info that should be in the release notes, but mostly isn't:

Misc. Changes

• uname -r now returns something like 2.6.32-19.el6.x86_64 instead of 2.6.32-19.el6

• kernel now requires kernel-firmware >= `uname -r` (kernel-firmware can not be co-installed in several versions)

• portmap is now called rpcbind

• the GNOME trashbin finally works

Cron

vixie-cron was replaced by cronie. The cron.{daily,weekly,monthly} mechanism is now run by cronie-anacron, see /etc/anacrontab:

# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22

#period in days   delay in minutes   job-identifier   command
1       5       cron.daily              nice run-parts /etc/cron.daily
7       25      cron.weekly             nice run-parts /etc/cron.weekly
@monthly 45     cron.monthly            nice run-parts /etc/cron.monthly

I guess this means these tasks will be executed after boot if they were missed, with a random delay of 5..50 minutes? NB after the next full hour or after boot?

It seems the random delay also applies to the nightly runs:

May 11 03:01:01 t34 CROND[26413]: (root) CMD (run-parts /etc/cron.hourly)
May 11 03:01:01 t34 run-parts(/etc/cron.hourly)[26413]: starting 0anacron
May 11 03:01:01 t34 anacron[26423]: Anacron started on 2010-05-11
May 11 03:01:01 t34 anacron[26423]: Will run job `cron.daily' in 23 min.
May 11 03:01:01 t34 anacron[26423]: Jobs will be executed sequentially
May 11 03:01:01 t34 run-parts(/etc/cron.hourly)[26425]: finished 0anacron

And in fact, it's random every time:

[root@t34 ~]# grep 'Will run job.*daily' /var/log/cron
May 10 19:01:01 t34 anacron[6939]: Will run job `cron.daily' in 31 min.
May 11 03:01:01 t34 anacron[26423]: Will run job `cron.daily' in 23 min.
May 12 03:01:01 t34 anacron[30285]: Will run job `cron.daily' in 19 min.
May 13 03:01:01 t34 anacron[1682]: Will run job `cron.daily' in 13 min.
May 14 03:01:01 t34 anacron[3398]: Will run job `cron.daily' in 27 min.

That's certainly not what we want => set random delay to 0, and add a first job with a deterministic delay based on hostname hash?

sue_daily should be run by cron.daily to avoid clashes with other cron.daily tasks. The anacron behaviour may or may not be what we want, not sure yet.

Kickstart

• ks=http://..../profiles/ doesn't work (will retrieve the directory listing as kickstart file)

  • => use generic profile SL6.ks, retrieve/generate host specifics in %pre

• the netinfo file is gone "because it is now redundant"

  • no it isn't... ifcg-eth0 holds no useful information if dhcp is used

  • grabbing the info from /tmp/syslog now
• partitioning is going to be "interesting"
  • on a PC with multicard reader, sda now becomes sde (at least during installation)

    • the documented kernel parameter nousbstorage doesn't work

    • nousb does - side effects?

      • seems ok to use it during installation. - not propagated to installed system
        • 2010-11-02: now default option for PXE and SLU installs

RPM/YUM

• new checksum algo

  • RPMs built on SL6 can not be used on previous releases => build on SL5 for "common"!

  • to install a .src.rpm built on SL6 on SL5: rpm -i --nomd5

• %topdir is now ~/rpmbuild by default (used to be /usr/src/redhat)

  • that's certainly not what we want

  • to cope: put a line %_topdir /tmp/rpmb.<my_user_name> in ~/.rpmmacros

    • caveat: prior to SL6, the required subdirs will not be created automatically by RPM
• 32-bit package arch is i686 now - modified yumsel accordingly, ok

• really fast

• rpm has %posttrans scripts now
• yum multilib_policy default changed from "all" to "best" - this is good, and we even make this explicit in yum.conf just in case they change their mind

• apparently, yum will have a useful feature: general variables, see https://bugzilla.redhat.com/show_bug.cgi?id=590924

  • this feature is available with the beta 2 refresh - caveat: variable names must be lower case...

LDAP

nss_ldap was replaced by nslcd (package nss-pam-ldapd). Configuration is in /etc/nslcd.conf. In RHEL6 beta, authconfig has a bug writing an illegal line at the end of this file (fixed in %post).

OpenSSH

Should have the GSSAPI key exchange patch - according to the changelog, https://bugzilla.redhat.com/show_bug.cgi?id=455351 is fixed

NTP

• Service ntp was split into ntpdate and ntp. Great idea... will have to adapt xntp feature and archives

• the ntpd init script no longer supports "reload"

Network Configuration

NetworkManager is meant to be used for everything now, but that's not likely to be what we want (on on servers, we may be able to avoid installing it altogether).

• at the end of installation, turn on service network, and turn off service NetworkManager

• The rpm will now automatically enable the service in %post => need a trigger to undo that (done: SL_no_NetworkManager)

chkconfig

New option "resetpriorities", which is different from "reset". (And maybe does what "reset" was supposed to do ?)

perl configuration

• siteprefix is now /usr/local instead of /usr

GDM

• gdmsetup no longer exists :-(, custom.conf is empty (no examples)

• doc: http://library.gnome.org/admin/gdm/2.30/configuration.html.en#greeterconfiguration

• many settings are only available via gconf
  • setting /apps/gdm/simple-greeter/disable_user_list to false works
  • setting /apps/gdm/simple-greeter/disable_restart_buttons to true doesn't

  • there is no option to disable the "Suspend" entry in the Shutdown menu (maybe it's possible by theming... update: what theming X-()

    • actually, denying it to anyone with PolicyKit does the trick

      • no way to get rid of the buttons/menu entries though
• and most are simply gone
  • you have to patch the source to even keep it from displaying the fqdn (done...)
    • found a better way to do it: setting the computer-info-name-label invisible in the greeter's .ui file gets rid of the fqdn, and doing the same with computer-info-version-label (which appears instead) allows setting a "banner" label text - see SLZ_gdm_config.rpm for how it's actually done
• on the other hand, it creates the XAUTHORITY db on the local disk now, no longer in $HOME
  • that's good - how to teach ssh to do it?

Filesystem Capabilities

• new, very interesting, feature: see capabilities(7)

Legacy Font Handling

• chkfontpath is gone
• for additional directories, add a link in /etc/X11/fontpath.d instead

Logging

• sysklogd replaced by rsyslog
• fairly backward compatible:
  • to a traditional syslog.conf, just add these lines at the top:

    $ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

  • and to avoid duplicate hostnames when logging remotely:

    $template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
    *.*;kern.!=debug;                                       @loghost;sysklogd
    *.*;kern.!=debug;                                       @loghost2;sysklogd

OpenAFS

• IMA problem: https://bugzilla.redhat.com/show_bug.cgi?id=584901

  • patched kernel for beta 1: 2.6.32-19.el6.z1
  • fixed in beta 2 refresh kernel 2.6.32-44.1.el6.x86_64
• works with SELinux enabled if the labels are right:
  • /var/cache/openafs: system_u:object_r:afs_cache_t
  • /etc/init.d/afs: system_u:object_r:afs_initrc_exec_t
  • /usr/vice/etc/afsd: system_u:object_r:afs_exec_t
  • The latter two are defined in /etc/selinux/targeted/contexts/files/file_contexts, but for the cache it only defines this context for /var/cache/afs and usr/vice/cache. We should probably move our cache - or ask them to include /var/cache/openafs. Or have a trigger that updates the file and adds a line for /var/cache/openafs. Careful: Upon updates of afs_client, the label of /var/cache/openafs is reset, hence this needs to be fixed!
    • openafs-selinux.rpm deals with this correctly now: a trigger

      • uses semanage fcontext -a -e /var/cache/afs /var/cache/openafs to set up an "equivalence" between /var/cache/openafs and /var/cache/afs (this gets stored in /etc/selinux/targeted/contexts/files/file_contexts.subs)

      • calls restorecon on /var/cache/openafs, /etc/init.d/afs, /usr/vice/etc/afsd, and - if it isn't mounted - /afs

Rebuilding the Kernel

• in the spec, define the 'buildid' macro

• rpmbuild -ba --without debug kernel.spec to build the kernel package

• rpmbuild -ba --target noarch --with firmware --without debug --without doc --without perftool --without perf kernel.spec to build the kernel-firmware package (required by the kernel in a matching version)

PolicyKit

• Allowing local users to install additional packages with PackageKit requires just a file /var/lib/polkit-1/localauthority/50-local.d/10-desktop-policy.pkla:

  [Local User Permisssions]
  Identity=*
  Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.system-sources-refresh
  ResultAny=no
  ResultInactive=no
  ResultActive=yes

Virtualization

• Xen is gone. Only kvm is available.

SPICE

• make sure xorg-x11-drv-qxl and spice-server are installed in the vm

• virsh edit <vm>

  •     <graphics type='spice' port='5903' autoport='no' keymap='en-us'/>
        <video>
          <model type='qxl' heads='1'/>
          <alias name='video0'/>
          <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
        </video>

• on the host, install spice-client

• ssh -L5903:localhost:5903 <host>

• spicec -h localhost -p 5903

TODO: SSL connection, USB, Audio, Windows Client, Windows VM, How to use spice-xpi?

Candidates for s-bit removal

# for i in /bin/ /cgroup/ /boot/ /Desktop/ /etc/ /home/ /lib/ /lib64/ /opt/ /sbin/ /selinux/ /srv/ /tmp/ /usr/ /var/;do find $i -perm +4000 -o -perm +6000; done|xargs ls -l
-rwsr-xr-x. 1 root root       12104 Jul 14 13:45 /bin/cgexec
-rwsr-x---. 1 root dbus       49960 Aug 11 08:38 /lib64/dbus-1/dbus-daemon-launch-helper
-rwxr-sr-x. 1 root root        8744 Sep  1 18:15 /sbin/netreport
-rwsr-xr-x. 1 root root        9632 Oct 20 16:01 /sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root       32160 Oct 20 16:01 /sbin/unix_chkpwd
-rwsr-xr-x. 1 root root       65680 Jul 20 11:19 /usr/bin/chage
-rwxr-sr-x. 1 root screen    387320 Nov 20  2009 /usr/bin/screen
-r-xr-sr-x. 1 root tty        15176 Apr 27  2010 /usr/bin/wall
-rwxr-sr-x. 1 root tty        12024 Aug 13 10:23 /usr/bin/write
-rwsr-xr-x. 1 root root      131224 Oct 18 03:05 /usr/gridengine/utilbin/lx26-amd64/authuser
-rwsr-xr-x. 1 root root       17008 Oct 18 03:05 /usr/gridengine/utilbin/lx26-amd64/rlogin
-rwsr-xr-x. 1 root root       48376 Oct 18 03:05 /usr/gridengine/utilbin/lx26-amd64/rsh
-rwsr-xr-x. 1 root root        8416 Oct 18 03:05 /usr/gridengine/utilbin/lx26-amd64/testsuidroot
-rwx--s--x. 1 root utmp       17144 Jul 19 16:15 /usr/lib64/vte/gnome-pty-helper
-rwsr-xr-x. 1 root root      221688 Aug 12 16:04 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x. 1 root root       18200 Jun 21 18:03 /usr/libexec/polkit-1/polkit-agent-helper-1
-rws--x--x. 1 root root       40752 Feb 25  2010 /usr/sbin/userhelper
-rwsr-xr-x. 1 root root        9000 Sep  1 18:15 /usr/sbin/usernetctl

Probably Ok or Required

-rwsr-xr-x. 1 root root       74680 Aug 13 10:22 /bin/mount
-rwsr-xr-x. 1 root root       41432 Jul 27 13:31 /bin/ping
-rwsr-xr-x. 1 root root       36256 Jul 27 13:31 /bin/ping6
-rwsr-xr-x. 1 root root       36440 Jun 14 13:01 /bin/su
-rwsr-xr-x. 1 root root       49280 Aug 13 10:22 /bin/umount
-rwsr-xr-x. 1 root root       68672 Jul 20 11:19 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root      216626 Sep 23 23:55 /usr/bin/ksu
-rwx--s--x. 1 root slocate    38464 Mar 30  2010 /usr/bin/locate
-rwxr-sr-x. 1 root mail       20256 Dec  3  2009 /usr/bin/lockfile
-rwsr-xr-x. 1 root root       38224 Jul 20 11:19 /usr/bin/newgrp
-rwsr-xr-x. 1 root root       31768 Jan 28  2010 /usr/bin/passwd
-rwsr-xr-x. 1 root root       25232 Jun 21 18:03 /usr/bin/pkexec
-rwxr-sr-x. 1 root nobody    112000 Aug 12 16:04 /usr/bin/ssh-agent
---s--x--x. 2 root root      186800 Sep  1 10:53 /usr/bin/sudo
---s--x--x. 2 root root      186800 Sep  1 10:53 /usr/bin/sudoedit
-rws--x--x. 1 root root       28001 Oct 22 14:54 /usr/libexec/pt_chown
-rwx--s--x. 1 root utmp        9760 Dec  3  2009 /usr/libexec/utempter/utempter
-rwx--s--x. 1 root lock       15792 Dec  4  2009 /usr/sbin/lockdev
-rwxr-sr-x. 1 root postdrop  184904 May 26  2010 /usr/sbin/postdrop
-rwxr-sr-x. 1 root postdrop  213736 May 26  2010 /usr/sbin/postqueue
-rwsr-xr-x. 1 root root       19072 Aug 25 14:51 /usr/sbin/seunshare

S-bit removed

-rws--x--x. 1 root root     1932216 Aug 11 17:52 /usr/bin/Xorg  (security feature)

Not Installed by Default

---s--x---. 1 root stapusr    67840 Nov 16 04:43 /usr/bin/staprun