Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Jan 2005 18:53:23 +0000
From:      Ceri Davies <ceri@submonkey.net>
To:        Don Lewis <truckman@FreeBSD.org>
Cc:        src-committers@FreeBSD.org
Subject:   Re: cvs commit: src/etc/periodic/security 100.chksetuid
Message-ID:  <20050113185323.GI49329@submonkey.net>
In-Reply-To: <200501131849.j0DInEEE029957@gw.catspoiler.org>
References:  <20050113153228.GG49329@submonkey.net> <200501131849.j0DInEEE029957@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--OCCtdyeB79m/DI8B
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 13, 2005 at 10:49:14AM -0800, Don Lewis wrote:
> On 13 Jan, Ceri Davies wrote:
> > On Thu, Jan 13, 2005 at 06:28:26PM +0300, Gleb Smirnoff wrote:
> >> On Thu, Jan 13, 2005 at 03:24:30PM +0000, Ceri Davies wrote:
> >> C> Umm, why not?  If setuid binaries appear anywhere on my system then=
 I'd
> >> C> like to continue to be told so that I can be confident of where they
> >> C> came from.  I don't care if they pose an immediate threat or not.
> >>=20
> >> In this case "grep -v nosuid" must be removed, too, to be consistent.
> >>=20
> >> P.S. We have "grep -v nosuid" from the very beginning.
> >=20
> > Hmm.  I retract my objection then, whilst retaining my reservations.
>=20
> I did something like this locally way back in the 2.1.x days.  Running
> suid checks on the news spool, the squid cache, the CD-ROM changer
> (causing it to sometimes lock up), and a bunch of NFS clients
> simultaneously doing suid checks on the same NFS server got to be a
> drag.

Sounds like something like chksetuid_exclude which lists mountpoints to
exclude might be in order.  Any objections to me putting that together,
or are people happy with the status quo?

Ceri
--=20
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)

--OCCtdyeB79m/DI8B
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFB5sOjocfcwTS3JF8RAuHtAKCJ8qtajefFPRf4L1gW2071kkppnQCcCQ+u
Qtq8TJ14GvHVA5kyQpAjDVM=
=mt1W
-----END PGP SIGNATURE-----

--OCCtdyeB79m/DI8B--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050113185323.GI49329>