suid bit files + securing FreeBSD (new program: LockDown)

Peter Rosa prosa at pro.sk
Sun Jul 27 06:45:08 PDT 2003


It sounds very good... Event more to write it...
I'm sorry, I can not help you as I'm not programmer (some basics only).

Good luck with your plan and, please, announce it here atfter finishing.

Best regards

Peter Rosa


----- Original Message -----
From: "Socketd" <db at traceroute.dk>
To: <freebsd-security at freebsd.org>
Sent: Sunday, July 27, 2003 1:28 PM
Subject: Re: suid bit files + securing FreeBSD (new program: LockDown)


> On Sun, 27 Jul 2003 09:57:10 +1000
> Peter Jeremy <PeterJeremy at optushome.com.au> wrote:
>
> > > But what files REALLY MUST have it ?
> >
> > There's no simple answer to this.  It's a matter of going through each
> > file with setuid (or setgid) set, understanding why that file has the
> > set[gu]id bit and whether you need that functionality.
>
> Robert Watson is going through all the setuid files, to see which really
> need to be setuid. In -CURRENT he has removed the setuid bit from quota.
>
> Anyway I have been thinking about writing a program to make the default
> installation (with "extreme" security) even more secure. I have attached
> the configuration file, it should explain what the program can do. (not
> one line of code have been written yet).
>
> Btw setting noexec and nosuid on a mount point is a little redundante
> right? I mean since the user can't execute files, there is no point in
> also setting nosuid?
>
> Best regards
> Socketd
>
> ps: Please remember that the LockDown configuration file is only version
> 0.1, so nothing is final.
>


----------------------------------------------------------------------------
----


> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
>



More information about the freebsd-security mailing list