From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 06:45:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0193837B401 for ; Sun, 27 Jul 2003 06:45:08 -0700 (PDT) Received: from ns.pro.sk (proxy.pro.sk [195.80.161.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5470843F3F for ; Sun, 27 Jul 2003 06:45:06 -0700 (PDT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.11.3/8.11.3) with SMTP id h6RDj3E02571; Sun, 27 Jul 2003 15:45:04 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <004c01c35445$3603c840$3501a8c0@pro.sk> From: "Peter Rosa" To: "Socketd" References: <00d601c3539a$91576a40$3501a8c0@pro.sk><20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> Date: Sun, 27 Jul 2003 15:44:33 +0200 Organization: PRO, s.r.o. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 cc: FreeBSD Security Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 13:45:08 -0000 It sounds very good... Event more to write it... I'm sorry, I can not help you as I'm not programmer (some basics only). Good luck with your plan and, please, announce it here atfter finishing. Best regards Peter Rosa ----- Original Message ----- From: "Socketd" To: Sent: Sunday, July 27, 2003 1:28 PM Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) > On Sun, 27 Jul 2003 09:57:10 +1000 > Peter Jeremy wrote: > > > > But what files REALLY MUST have it ? > > > > There's no simple answer to this. It's a matter of going through each > > file with setuid (or setgid) set, understanding why that file has the > > set[gu]id bit and whether you need that functionality. > > Robert Watson is going through all the setuid files, to see which really > need to be setuid. In -CURRENT he has removed the setuid bit from quota. > > Anyway I have been thinking about writing a program to make the default > installation (with "extreme" security) even more secure. I have attached > the configuration file, it should explain what the program can do. (not > one line of code have been written yet). > > Btw setting noexec and nosuid on a mount point is a little redundante > right? I mean since the user can't execute files, there is no point in > also setting nosuid? > > Best regards > Socketd > > ps: Please remember that the LockDown configuration file is only version > 0.1, so nothing is final. > ---------------------------------------------------------------------------- ---- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >