Date: Thu, 25 Apr 2002 03:53:53 +0200 From: Johan Karlsson <k@numeri.campus.luth.se> To: freebsd-arch@freebsd.org Subject: NOSUID and NOSUID_prog make knobs Message-ID: <20020425035353.A73613@numeri.campus.luth.se>
next in thread | raw e-mail | index | archive | help
--fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [bcc -security since the discussion started there ] Hi all, recently a discussion about removing the setuid bit popup again http://docs.FreeBSD.org/cgi/getmsg.cgi?fetch=166393+0+current/freebsd-security Jason noted that it had been discussed before and also that introducing a make knob to disable installation of various programs with the setuid bit turned on had been proposed. I have started to implement this and would like to know what you think of the concept. Attached is an untested diff for some suid/sgid programs. Basicly it protects the BINMODE assignment in the Makefile with .if !defined(NOSUID) && !defined(NOSUID_prog) I have also made changes to make.conf.5 and examples/etc/make.conf to reflect the new knobs. Please have a look at the attached diff and let me know what you think. If there is interest and some commiter would consider to commit something along those lines I'm willing to make a diff for most of the suid/sgid programs we have in the tree. /Johan K -- Johan Karlsson mailto:k@numeri.campus.luth.se --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="NOSUID.diff" ? usr.sbin/sa ? usr.sbin/rpc.statd ? usr.sbin/rpc.umntall ? usr.sbin/rpc.yppasswdd ? usr.sbin/rpc.ypupdated ? usr.sbin/rpc.ypxfrd ? usr.sbin/rpcbind ? usr.sbin/rrenumd ? usr.sbin/rtadvd ? usr.sbin/rtprio ? usr.sbin/rtsold ? usr.sbin/rwhod ? usr.sbin/sendmail ? usr.sbin/setextattr ? usr.sbin/setkey ? usr.sbin/sgsc ? usr.sbin/sicontrol ? usr.sbin/sliplogin ? usr.sbin/slstat ? usr.sbin/spkrtest ? usr.sbin/spray ? usr.sbin/stallion Index: share/examples/etc/make.conf =================================================================== RCS file: /home/ncvs/src/share/examples/etc/make.conf,v retrieving revision 1.186 diff -u -r1.186 make.conf --- share/examples/etc/make.conf 2002/04/23 23:59:51 1.186 +++ share/examples/etc/make.conf 2002/04/25 01:29:12 @@ -88,6 +88,22 @@ # To enable installing ssh(1) with the setuid bit turned on #ENABLE_SUID_SSH= true # +# To avoid installing various parts with the setuid/setgid bit turned on +# +#NOSUID= true # no setuid bit for any of the below +#NOSUID_AT= true # no setuid bit for at +#NOSUID_CHPASS= true # no setuid bit for chpass +#NOSUID_K5SU= true # no setuid bit for k5su +#NOSUID_PING= true # no setuid bit for ping +#NOSUID_PING6= true # no setuid bit for ping6 +#NOSUID_PPP= true # no setuid bit for ppp +#NOSUID_RCP= true # no setuid bit for rcp +#NOSUID_SHUTDOWN= true # no setuid bit for shutdown +# +#NOSGID= true # no setgid bit for any of the below +#NOSGID_DM= true # no setgid bit for dm +#NOSGID_PS= true # no setgid bit for ps + # To avoid building various parts of the base system: #NO_CVS= true # do not build CVS #NO_CXX= true # do not build C++ and friends Index: share/man/man5/make.conf.5 =================================================================== RCS file: /home/ncvs/src/share/man/man5/make.conf.5,v retrieving revision 1.43 diff -u -r1.43 make.conf.5 --- share/man/man5/make.conf.5 2002/04/23 23:59:51 1.43 +++ share/man/man5/make.conf.5 2002/04/25 01:29:16 @@ -480,11 +480,39 @@ set to not build crypto code in .Pa secure subdir. +.It Va NOSGID +.Pq Vt bool +Set to disable the installation of all of the following +as sgid programs. +.It Va NOSGID_DM +.Pq Vt bool +Set to disable the installation of +.Xr dm 8 +as a sgid program. .It Va NOSHARE .Pq Vt bool Set to not build in the .Pa share subdir. +.It Va NOSGID +.Pq Vt bool +Set to disable the installation of all of the following +as suid programs. +.It Va NOSUID_AT +.Pq Vt bool +Set to disable the installation of +.Xr at 1 +as a suid program. +.It Va NOSUID_CHPASS +.Pq Vt bool +Set to disable the installation of +.Xr chpass 1 +as a suid program. +.It Va NOSUID_PPP +.Pq Vt bool +Set to disable the installation of +.Xr ppp 8 +as a suid program. .It Va NOUUCP .Pq Vt bool Set to not build @@ -496,11 +524,6 @@ .Xr perl 1 with thread support. -.It Va PPP_NOSUID -.Pq Vt bool -Set to disable the installation of -.Xr ppp 8 -as an suid root program. .It Va SENDMAIL_MC .Pq Vt str The default m4 configuration file to use at install time. Index: bin/ps/Makefile =================================================================== RCS file: /home/ncvs/src/bin/ps/Makefile,v retrieving revision 1.19 diff -u -r1.19 Makefile --- bin/ps/Makefile 2002/02/04 03:06:50 1.19 +++ bin/ps/Makefile 2002/04/25 01:29:36 @@ -14,7 +14,9 @@ WFORMAT=0 DPADD= ${LIBM} ${LIBKVM} LDADD= -lm -lkvm +.if !defined(NOSGID) && !defined(NOSGID_PS) #BINGRP= kmem #BINMODE=2555 +.endif .include <bsd.prog.mk> Index: bin/rcp/Makefile =================================================================== RCS file: /home/ncvs/src/bin/rcp/Makefile,v retrieving revision 1.20 diff -u -r1.20 Makefile --- bin/rcp/Makefile 2002/04/18 07:01:34 1.20 +++ bin/rcp/Makefile 2002/04/25 01:29:36 @@ -21,8 +21,10 @@ .PATH: ${.CURDIR}/../../crypto/kerberosIV/appl/bsd .endif +.if !defined(NOSUID) && !defined(NOSUID_RCP) BINOWN= root BINMODE=4555 INSTALLFLAGS=-fschg +.endif .include <bsd.prog.mk> Index: sbin/ping/Makefile =================================================================== RCS file: /home/ncvs/src/sbin/ping/Makefile,v retrieving revision 1.17 diff -u -r1.17 Makefile --- sbin/ping/Makefile 2001/12/04 02:19:55 1.17 +++ sbin/ping/Makefile 2002/04/25 01:29:48 @@ -3,8 +3,10 @@ PROG= ping MAN= ping.8 +.if !defined(NOSUID) && !defined(NOSUID_PING) BINOWN= root BINMODE=4555 +.endif .if ${MACHINE_ARCH} == "alpha" CFLAGS+=-fno-builtin # GCC's builtin memcpy doesn't do unaligned copies .endif Index: sbin/ping6/Makefile =================================================================== RCS file: /home/ncvs/src/sbin/ping6/Makefile,v retrieving revision 1.9 diff -u -r1.9 Makefile --- sbin/ping6/Makefile 2002/03/01 09:49:48 1.9 +++ sbin/ping6/Makefile 2002/04/25 01:29:48 @@ -6,8 +6,10 @@ CFLAGS+=-DINET6 -DIPSEC WARNS= 0 +.if !defined(NOSUID) && !defined(NOSUID_PING6) BINOWN= root BINMODE=4555 +.endif LDADD= -lipsec -lm -lmd DPADD= ${LIBIPSEC} ${LIBM} ${LIBMD} Index: usr.bin/at/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/at/Makefile,v retrieving revision 1.15 diff -u -r1.15 Makefile --- usr.bin/at/Makefile 2002/02/08 22:31:35 1.15 +++ usr.bin/at/Makefile 2002/04/25 01:29:49 @@ -11,8 +11,10 @@ at.1 atq.1 \ at.1 atrm.1 +.if !defined(NUSUID) && !defined(NOSUID_AT) BINOWN= root BINMODE= 4555 +.endif CLEANFILES+= at.1 at.1: at.man Index: usr.bin/chpass/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/chpass/Makefile,v retrieving revision 1.25 diff -u -r1.25 Makefile --- usr.bin/chpass/Makefile 2002/03/24 10:21:22 1.25 +++ usr.bin/chpass/Makefile 2002/04/25 01:29:51 @@ -6,8 +6,10 @@ table.c util.c ypxfr_misc.c ${GENSRCS} GENSRCS=yp.h yp_clnt.c yppasswd.h yppasswd_clnt.c yppasswd_private.h \ yppasswd_private_clnt.c yppasswd_private_xdr.c +.if !defined(NOSUID) && !defined(NOSUID_CHPASS) BINOWN= root BINMODE=4555 +.endif .PATH: ${.CURDIR}/../../usr.sbin/pwd_mkdb ${.CURDIR}/../../usr.sbin/vipw \ ${.CURDIR}/../../libexec/ypxfr \ ${.CURDIR}/../../usr.sbin/rpc.yppasswdd \ Index: usr.sbin/ppp/Makefile =================================================================== RCS file: /home/ncvs/src/usr.sbin/ppp/Makefile,v retrieving revision 1.94 diff -u -r1.94 Makefile --- usr.sbin/ppp/Makefile 2002/03/30 17:57:51 1.94 +++ usr.sbin/ppp/Makefile 2002/04/25 01:30:37 @@ -19,11 +19,11 @@ NOSUID= true .endif -.if defined(NOSUID) || defined(PPP_NOSUID) -BINMODE=554 -.else +.if !defined(NOSUID) && !defined(NOSUID_PPP) && !defined(PPP_NOSUID) BINMODE=4554 BINOWN= root +.else +BINMODE=554 .endif BINGRP= network M4FLAGS= --fUYQa+Pmc3FrFX/N-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020425035353.A73613>