Date: Thu, 12 Jul 2001 16:24:33 -0400 From: "Zachary M. Smith" <spader@arbornet.org> To: security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root PREVENTIONS Message-ID: <20010712162433.A499@arbornet.org> In-Reply-To: <20010712150856.B22961@pir.net>; from pir@pir.net on Thu, Jul 12, 2001 at 03:08:56PM -0400 References: <6381A6A8826BD31199500090279CAFBA2BD50E@exchange.strategicit.net> <20010712150856.B22961@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
something we do at Arbornet (m-net.arbornet.org) is move all
binaries that require setuid to /bin/suid and link them back
to their respective places. we also use chflags to set schg
uchg on all the suid binaries as well as mounting /bin/suid
read-only.
by the way, we offer free shells on this machine (running 4.3-STABLE)
if any one cares to take a look. login to m-net.arbornet.org as
'newuser'
/dev/da0s1a on / (ufs, local, nosuid)
/dev/da0s1g on /bin/suid (ufs, local, read-only)
/dev/da0s2e on /home (ufs, local, nosuid, with quotas)
/dev/da0s3h on /root (ufs, local, nosuid)
/dev/ad2f on /tmp (ufs, local, nosuid)
/dev/da0s3e on /usr (ufs, local, nosuid)
/dev/da0s3g on /usr/bbs (ufs, local, nosuid)
/dev/da0s3f on /usr/local (ufs, local, nosuid)
/dev/da0s1e on /var (ufs, local, nosuid)
/dev/da0s1f on /var/mail (ufs, local, nosuid, with quotas)
/dev/ad2g on /usr/obj (ufs, local, nosuid)
On Thu, Jul 12, 2001 at 03:08:56PM -0400, Peter Radcliffe wrote:
> "Portwood, Jason" <JPortwood@strategicit.net> probably said:
> > Wouldn't it be a better practice to just mount all the partitions that =
don't
> > need suid as nosuid? Just off the top of my head those candidates would
> > be =20
> >=20
> > /tmp
> > /home
> > /var
> >=20
> > Is there a good reason for not doing this?
>=20
> I've been doing this for some time. I also mount everything but /
> nodev. Doesn't seem to hurt anything I use.
>=20
> P.
>=20
> --=20
> pir pir@pir.net pir@net.tufts.edu
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--=20
Zach Smith
+-------------------+
| UNIX Nerd |
| & |
| Professional Geek |
+-------------------+
spader@arbornet.org
GPG: EB0C 89F5 697E FDD5 3AD4 2ADE 33A1 5A5E 50B7 1FA0
PGP: 9F 67 72 95 8D 15 2D DC 19 D8 23 75 60 61 CE 0D
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjtOB4AACgkQM6FaXlC3H6C28gCdHODK3US/YjwgPHiH0UmmO0tL
AWQAmgI9tXlUuSECX4XuruYZytyMoMmR
=/Fw8
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712162433.A499>