Date: Sun, 27 Jul 2003 15:44:33 +0200 From: "Peter Rosa" <prosa@pro.sk> To: "Socketd" <db@traceroute.dk> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) Message-ID: <004c01c35445$3603c840$3501a8c0@pro.sk> References: <00d601c3539a$91576a40$3501a8c0@pro.sk><20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
It sounds very good... Event more to write it... I'm sorry, I can not help you as I'm not programmer (some basics only). Good luck with your plan and, please, announce it here atfter finishing. Best regards Peter Rosa ----- Original Message ----- From: "Socketd" <db@traceroute.dk> To: <freebsd-security@freebsd.org> Sent: Sunday, July 27, 2003 1:28 PM Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) > On Sun, 27 Jul 2003 09:57:10 +1000 > Peter Jeremy <PeterJeremy@optushome.com.au> wrote: > > > > But what files REALLY MUST have it ? > > > > There's no simple answer to this. It's a matter of going through each > > file with setuid (or setgid) set, understanding why that file has the > > set[gu]id bit and whether you need that functionality. > > Robert Watson is going through all the setuid files, to see which really > need to be setuid. In -CURRENT he has removed the setuid bit from quota. > > Anyway I have been thinking about writing a program to make the default > installation (with "extreme" security) even more secure. I have attached > the configuration file, it should explain what the program can do. (not > one line of code have been written yet). > > Btw setting noexec and nosuid on a mount point is a little redundante > right? I mean since the user can't execute files, there is no point in > also setting nosuid? > > Best regards > Socketd > > ps: Please remember that the LockDown configuration file is only version > 0.1, so nothing is final. > ---------------------------------------------------------------------------- ---- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004c01c35445$3603c840$3501a8c0>