cvs commit: src/etc/periodic/security 100.chksetuid

Ceri Davies ceri at submonkey.net
Thu Jan 13 10:53:26 PST 2005


On Thu, Jan 13, 2005 at 10:49:14AM -0800, Don Lewis wrote:
> On 13 Jan, Ceri Davies wrote:
> > On Thu, Jan 13, 2005 at 06:28:26PM +0300, Gleb Smirnoff wrote:
> >> On Thu, Jan 13, 2005 at 03:24:30PM +0000, Ceri Davies wrote:
> >> C> Umm, why not?  If setuid binaries appear anywhere on my system then I'd
> >> C> like to continue to be told so that I can be confident of where they
> >> C> came from.  I don't care if they pose an immediate threat or not.
> >> 
> >> In this case "grep -v nosuid" must be removed, too, to be consistent.
> >> 
> >> P.S. We have "grep -v nosuid" from the very beginning.
> > 
> > Hmm.  I retract my objection then, whilst retaining my reservations.
> 
> I did something like this locally way back in the 2.1.x days.  Running
> suid checks on the news spool, the squid cache, the CD-ROM changer
> (causing it to sometimes lock up), and a bunch of NFS clients
> simultaneously doing suid checks on the same NFS server got to be a
> drag.

Sounds like something like chksetuid_exclude which lists mountpoints to
exclude might be in order.  Any objections to me putting that together,
or are people happy with the status quo?

Ceri
-- 
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20050113/15ec2ed5/attachment.bin


More information about the cvs-src mailing list