From owner-cvs-all@FreeBSD.ORG Thu Jan 13 18:53:26 2005 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74CA316A4CE; Thu, 13 Jan 2005 18:53:26 +0000 (GMT) Received: from shrike.submonkey.net (cpc2-cdif3-6-0-cust204.cdif.cable.ntl.com [81.103.67.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38E5B43D3F; Thu, 13 Jan 2005 18:53:25 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from setantae by shrike.submonkey.net with local (Exim 4.43 (FreeBSD)) id 1CpA5z-0005PJ-DI; Thu, 13 Jan 2005 18:53:23 +0000 Date: Thu, 13 Jan 2005 18:53:23 +0000 From: Ceri Davies To: Don Lewis Message-ID: <20050113185323.GI49329@submonkey.net> Mail-Followup-To: Ceri Davies , Don Lewis , glebius@FreeBSD.org, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org References: <20050113153228.GG49329@submonkey.net> <200501131849.j0DInEEE029957@gw.catspoiler.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OCCtdyeB79m/DI8B" Content-Disposition: inline In-Reply-To: <200501131849.j0DInEEE029957@gw.catspoiler.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.6i Sender: Ceri Davies cc: cvs-src@FreeBSD.org cc: glebius@FreeBSD.org cc: cvs-all@FreeBSD.org cc: src-committers@FreeBSD.org Subject: Re: cvs commit: src/etc/periodic/security 100.chksetuid X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 18:53:26 -0000 --OCCtdyeB79m/DI8B Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 13, 2005 at 10:49:14AM -0800, Don Lewis wrote: > On 13 Jan, Ceri Davies wrote: > > On Thu, Jan 13, 2005 at 06:28:26PM +0300, Gleb Smirnoff wrote: > >> On Thu, Jan 13, 2005 at 03:24:30PM +0000, Ceri Davies wrote: > >> C> Umm, why not? If setuid binaries appear anywhere on my system then= I'd > >> C> like to continue to be told so that I can be confident of where they > >> C> came from. I don't care if they pose an immediate threat or not. > >>=20 > >> In this case "grep -v nosuid" must be removed, too, to be consistent. > >>=20 > >> P.S. We have "grep -v nosuid" from the very beginning. > >=20 > > Hmm. I retract my objection then, whilst retaining my reservations. >=20 > I did something like this locally way back in the 2.1.x days. Running > suid checks on the news spool, the squid cache, the CD-ROM changer > (causing it to sometimes lock up), and a bunch of NFS clients > simultaneously doing suid checks on the same NFS server got to be a > drag. Sounds like something like chksetuid_exclude which lists mountpoints to exclude might be in order. Any objections to me putting that together, or are people happy with the status quo? Ceri --=20 Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Einstein (attrib.) --OCCtdyeB79m/DI8B Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB5sOjocfcwTS3JF8RAuHtAKCJ8qtajefFPRf4L1gW2071kkppnQCcCQ+u Qtq8TJ14GvHVA5kyQpAjDVM= =mt1W -----END PGP SIGNATURE----- --OCCtdyeB79m/DI8B--