From owner-cvs-src@FreeBSD.ORG Fri Jan 14 14:01:24 2005 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFD7816A4CE; Fri, 14 Jan 2005 14:01:24 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69E8F43D31; Fri, 14 Jan 2005 14:01:24 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 9E49B3E395F; Fri, 14 Jan 2005 08:01:23 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id E35DA563476; Fri, 14 Jan 2005 08:01:22 -0600 (CST) Date: Fri, 14 Jan 2005 08:01:22 -0600 From: "Jacques A. Vidrine" To: John-Mark Gurney Message-ID: <20050114140122.GC8477@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , John-Mark Gurney , Giorgos Keramidas , Ceri Davies , src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org References: <20050113153228.GG49329@submonkey.net> <200501131849.j0DInEEE029957@gw.catspoiler.org> <20050113185323.GI49329@submonkey.net> <20050113190755.GA24939@orion.daedalusnetworks.priv> <20050113193413.GL19624@funkthat.com> <20050113204154.GA829@gothmog.gr> <20050113205528.GA83599@hellblazer.celabo.org> <20050113215132.GM19624@funkthat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050113215132.GM19624@funkthat.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: Giorgos Keramidas cc: cvs-src@FreeBSD.org cc: Ceri Davies cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org Subject: Re: cvs commit: src/etc/periodic/security 100.chksetuid X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 14:01:24 -0000 On Thu, Jan 13, 2005 at 01:51:32PM -0800, John-Mark Gurney wrote: > Most nfs installs, you have control over the server, and are probably > already running something similar on the server... If you are mounting > "untrusted" shares, as you said, they should be mounted nosetuid or noexec, > and if you really need it not mounted noexec, then we should provide an > include of non-local fs's... I was thinking of an active attacker on the network, in which case it doesn't matter if you have control over the server or not. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org