Re: Periodic security find pruning

From: Eric Anderson <anderson_at_centtech.com>
Date: Mon, 28 Mar 2005 15:53:57 -0600
Don Lewis wrote:
> On 28 Mar, Eric Anderson wrote:
> 
>>Don Lewis wrote:
>>
>>
>>>Why not just mount these partitions nosuid?   That will cause them to be
>>>automagically be skipped by the setuid security scan, and will prevent
>>>the setuid bit of any executables that happen to be backed up there from
>>>being honored.
>>
>>Because then I cannot create suid files, which means I cannot back them up..
> 
> 
> Are you sure about that?
> 
> % df .
> Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
> /dev/ad0s2f  11811982 6125698 4741326    56%    /home
> % mount | grep home
> /dev/ad0s2f on /home (ufs, local, nosuid, soft-updates)
> % touch foo
> % ls -l foo
> -rw-r--r--  1 dl  dl  0 Mar 28 13:45 foo
> % chmod 4755 foo
> ls -l foo
> -rwsr-xr-x  1 dl  dl  0 Mar 28 13:45 foo
> % uname -sr
> FreeBSD 6.0-CURRENT


Nope - not sure at all! :)  By reading the man page, one is led to think you cannot.  Maybe the man page should be adjusted to clarify, as that could possibly get someone into trouble.  Thanks for pointing this out.  However, I *still* think it needs to be an option - what if one really needs those suid bits, but doesn't want the machine bogged down for several days doing a find?

Eric



-- 
------------------------------------------------------------------------
Eric Anderson        Sr. Systems Administrator        Centaur Technology
I have seen the future and it is just like the present, only longer.
------------------------------------------------------------------------
Received on Mon Mar 28 2005 - 19:54:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:30 UTC