netstat -e and root

Hi guys

I got a little question about the output from netstat. I was looking through the man page when I came across the -e switch. I used it a couple of times and then noticed something which I found a little weird. I doubt its a security problem but I'd still like it explained if somebody could. Basically sometimes I find root in the user column instead of my username. This is generally (but not always) for connections to Verisign or equivalents. Just wondered why really, seeing as I run firefox from the package downloaded from the mozilla site that runs from its own folder.

Why are these connections there? Or more specifically, why are there any connections to root?

Here's an example output:

Code:

---

Fatback@mepis1:~$ netstat -et
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      User      Inode
tcp        0      0 233.Red-81-41-32.s:5650 74.125.4.38:www        ESTABLISHEDFatback    220669
tcp        1      1 233.Red-81-41-32.s:1704 108.116.232.72.stat:www LAST_ACK  root      0
tcp        0      1 233.Red-81-41-32.s:4461 www.grc.com:https      SYN_SENT  Fatback    221439
tcp        1      0 233.Red-81-41-32.s:5650 74.125.4.38:www        CLOSE_WAIT Fatback    220669
tcp        0      1 233.Red-81-41-32.s:4462 www.grc.com:https      SYN_SENT  Fatback    221441
tcp        0      0 233.Red-81-41-32.s:4459 www.grc.com:https      ESTABLISHEDFatback    221437
tcp        0      0 233.Red-81-41-32.s:1986 OCSP.NYC3.verisign.:www TIME_WAIT  root      0
tcp        0      1 233.Red-81-41-32.s:4460 www.grc.com:https      SYN_SENT  Fatback    221438
tcp        0      0 233.Red-81-41-32.s:1986 OCSP.NYC3.verisign.:www TIME_WAIT  root      0
tcp        0    506 233.Red-81-41-32.s:4460 www.grc.com:https      ESTABLISHEDFatback    221438
tcp        0    192 233.Red-81-41-32.s:4464 www.grc.com:https      ESTABLISHEDFatback    221510

---

Some applications use system services that are only available to root, so they are chmod'd to be setuid root. When you run them, they are run under the root user account. These are major points of vulnerability and must be trusted programs as if they are compromised, then the system is at risk. Apparently, the public key and certificate of authority functions provided by Verisign require root privileges, so its applications are setuid root. So, even if you run them, they still appear to be run by root. Ok?

Thanks for the info Rubberman. Got it :)