suid bit files + securing FreeBSD (new program: LockDown)
Socketd
db at traceroute.dk
Sun Jul 27 04:19:29 PDT 2003
On Sun, 27 Jul 2003 09:57:10 +1000
Peter Jeremy <PeterJeremy at optushome.com.au> wrote:
> > But what files REALLY MUST have it ?
>
> There's no simple answer to this. It's a matter of going through each
> file with setuid (or setgid) set, understanding why that file has the
> set[gu]id bit and whether you need that functionality.
Robert Watson is going through all the setuid files, to see which really
need to be setuid. In -CURRENT he has removed the setuid bit from quota.
Anyway I have been thinking about writing a program to make the default
installation (with "extreme" security) even more secure. I have attached
the configuration file, it should explain what the program can do. (not
one line of code have been written yet).
Btw setting noexec and nosuid on a mount point is a little redundante
right? I mean since the user can't execute files, there is no point in
also setting nosuid?
Best regards
Socketd
ps: Please remember that the LockDown configuration file is only version
0.1, so nothing is final.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lockdown.conf
Type: application/octet-stream
Size: 7201 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030727/611bc2c6/lockdown.obj
More information about the freebsd-security
mailing list