cvs commit: src/etc/periodic/security 100.chksetuid

Jacques A. Vidrine nectar at FreeBSD.org
Thu Jan 13 12:55:29 PST 2005


On Thu, Jan 13, 2005 at 10:41:54PM +0200, Giorgos Keramidas wrote:
> On 2005-01-13 11:34, John-Mark Gurney <gurney_j at resnet.uoregon.edu> wrote:
> > Giorgos Keramidas wrote this message on Thu, Jan 13, 2005 at 21:07 +0200:
> > > > Sounds like something like chksetuid_exclude which lists mountpoints to
> > > > exclude might be in order.  Any objections to me putting that together,
> > > > or are people happy with the status quo?
> > >
> > > It's not a bad idea.  While you're at it, a knob that disables checks
> > > for NFS-mounted filesystems may be nice too.  It doesn't make sense to
> > > check the same files both in the client *and* the server, as Don has
> > > pointed out.
> > >
> > > I think I can almost see this coming :-)
> > >
> > > 	daily_status_security_chksetuid_nfs="NO"
> >
> > Why not do something like:
> > daily_status_security_chksetuid_remote="NO"
> >
> > Find already has "logic" that tries to determin if an fs is local or
> > remote..
> 
> That sounds even better! :-)

Except that remote file systems are the most important ones to check for
setuid executables ...  I think they should be mounted nosetuid (or
better, noexec), or they should be periodically checked.

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org


More information about the cvs-src mailing list