From owner-freebsd-current@FreeBSD.ORG Mon Mar 28 20:07:09 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1FC116A4CE for ; Mon, 28 Mar 2005 20:07:08 +0000 (GMT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAAD343D2F for ; Mon, 28 Mar 2005 20:07:08 +0000 (GMT) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.1/8.13.1) with ESMTP id j2SK6r8I095373; Mon, 28 Mar 2005 12:06:58 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <200503282006.j2SK6r8I095373@gw.catspoiler.org> Date: Mon, 28 Mar 2005 12:06:53 -0800 (PST) From: Don Lewis To: anderson@centtech.com In-Reply-To: <42481D60.9050801@centtech.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii cc: freebsd-current@FreeBSD.org Subject: Re: Periodic security find pruning X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 20:07:09 -0000 On 28 Mar, Eric Anderson wrote: > I have a backup server running rsnapshot which has about 10TB of used disk space attached. When the setuid security check runs, it crawls all the partitions mounted, which takes an insane amount of time, and thrashes the disks while I'm trying to send backups to them. I didn't see any way to exclude them, so I hacked the script myself. I've attached a patch to allow exclusion of mount points - please review, replace, hack, etc as needed. > > All you need to do is add: > daily_status_security_chksetuid_prunemounts="" > to /etc/defaults/periodic.conf > > with a list of mount points to be excluded like this: > daily_status_security_chksetuid_prunemounts="vol backup tmp" > > Patch attached. Why not just mount these partitions nosuid? That will cause them to be automagically be skipped by the setuid security scan, and will prevent the setuid bit of any executables that happen to be backed up there from being honored.