Date: Thu, 13 Jan 2005 13:51:32 -0800 From: John-Mark Gurney <gurney_j@resnet.uoregon.edu> To: "Jacques A. Vidrine" <nectar@FreeBSD.org>, Giorgos Keramidas <keramida@ceid.upatras.gr>, Ceri Davies <ceri@submonkey.net>, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc/periodic/security 100.chksetuid Message-ID: <20050113215132.GM19624@funkthat.com> In-Reply-To: <20050113205528.GA83599@hellblazer.celabo.org> References: <20050113153228.GG49329@submonkey.net> <200501131849.j0DInEEE029957@gw.catspoiler.org> <20050113185323.GI49329@submonkey.net> <20050113190755.GA24939@orion.daedalusnetworks.priv> <20050113193413.GL19624@funkthat.com> <20050113204154.GA829@gothmog.gr> <20050113205528.GA83599@hellblazer.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jacques A. Vidrine wrote this message on Thu, Jan 13, 2005 at 14:55 -0600:
> On Thu, Jan 13, 2005 at 10:41:54PM +0200, Giorgos Keramidas wrote:
> > On 2005-01-13 11:34, John-Mark Gurney <gurney_j@resnet.uoregon.edu> wrote:
> > > Giorgos Keramidas wrote this message on Thu, Jan 13, 2005 at 21:07 +0200:
> > > > > Sounds like something like chksetuid_exclude which lists mountpoints to
> > > > > exclude might be in order. Any objections to me putting that together,
> > > > > or are people happy with the status quo?
> > > >
> > > > It's not a bad idea. While you're at it, a knob that disables checks
> > > > for NFS-mounted filesystems may be nice too. It doesn't make sense to
> > > > check the same files both in the client *and* the server, as Don has
> > > > pointed out.
> > > >
> > > > I think I can almost see this coming :-)
> > > >
> > > > daily_status_security_chksetuid_nfs="NO"
> > >
> > > Why not do something like:
> > > daily_status_security_chksetuid_remote="NO"
> > >
> > > Find already has "logic" that tries to determin if an fs is local or
> > > remote..
> >
> > That sounds even better! :-)
>
> Except that remote file systems are the most important ones to check for
> setuid executables ... I think they should be mounted nosetuid (or
> better, noexec), or they should be periodically checked.
Most nfs installs, you have control over the server, and are probably
already running something similar on the server... If you are mounting
"untrusted" shares, as you said, they should be mounted nosetuid or noexec,
and if you really need it not mounted noexec, then we should provide an
include of non-local fs's...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050113215132.GM19624>