Date: Fri, 2 Jun 2017 12:33:34 -0700 From: Tim Gustafson <tjg@ucsc.edu> To: Adam Vande More <amvandemore@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Excluding File Systems from 100.chksetuid and 110.neggrpperm Message-ID: <CAPyBAS6R5CC=7Qmx=4aC=aw9R-YTJPRt0Qi1nndK9pP0OekAEg@mail.gmail.com> In-Reply-To: <CA%2BtpaK209YqTu8B-eH4k=-LgZ6wugkzRjGFNfPCu_on49wwzGw@mail.gmail.com> References: <CAPyBAS7WN91CCxB15xpf_C7XEdv9T=DG-W7GjTx0Vy7s5Fx9gQ@mail.gmail.com> <CA%2BtpaK209YqTu8B-eH4k=-LgZ6wugkzRjGFNfPCu_on49wwzGw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> https://forums.freebsd.org/threads/31846/ > That thread mentions this posting which contains responses as to why it > likely was never pursued further: > > https://docs.freebsd.org/cgi/getmsg.cgi?fetch=275969+0+/usr/local/www/mailindex/archive/2012/freebsd-stable/20120506.freebsd-stable Sorry, I think I'm missing something. I don't see anything in that thread that suggests why it wouldn't be implemented. There's some chatter about not excluding all ZFS filesystems, but I'm not asking about that. I'm asking about excluding individual filesystems. In the original post I shared, the suggested patch included the ability to exclude by mount point, rather than by file system type. My desired settings would be: daily_status_security_chksetuid_fs_ignore="/export" daily_status_security_neggrpperm_fs_ignore="/export" As these are just NFS servers, users never log into them and can't run processes on them. I could mount them locally with nosuid and noexec but then it's not clear to me how that would affect NFS clients that mount these file systems, but I think setting nosuid and noexec on the server wouldn't have any effect on the NFS clients. Also, there are certainly legitimate suid and non-suid binaries in those file systems that need to be run on the clients that mount them. I suppose if these processes should really run for security purposes, it would be better to have them run on a particular day. For example, having them start late on Friday night or very early Saturday morning would avoid our heaviest workload periods. But that also seems to not be an option, unless there is something fancy I can do in periodic.conf that's not immediately apparent to me, or by hacking files in /etc/periodic, which I'd rather not do if I can avoid it. -- Tim Gustafson BSOE Computing Director tjg@ucsc.edu 831-459-5354 Baskin Engineering, Room 313A To request BSOE IT support, please visit https://support.soe.ucsc.edu/ or send e-mail to help@soe.ucsc.edu.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyBAS6R5CC=7Qmx=4aC=aw9R-YTJPRt0Qi1nndK9pP0OekAEg>