From owner-freebsd-current@FreeBSD.ORG Mon Mar 28 21:00:37 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DB5116A4CE; Mon, 28 Mar 2005 21:00:37 +0000 (GMT) Received: from mh2.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id B01F743D54; Mon, 28 Mar 2005 21:00:35 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by mh2.centtech.com (8.13.1/8.13.1) with ESMTP id j2SL0YcU003627; Mon, 28 Mar 2005 15:00:34 -0600 (CST) (envelope-from anderson@centtech.com) Message-ID: <4248705B.3070804@centtech.com> Date: Mon, 28 Mar 2005 15:00:11 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050325 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Don Lewis References: <200503282006.j2SK6r8I095373@gw.catspoiler.org> In-Reply-To: <200503282006.j2SK6r8I095373@gw.catspoiler.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-current@FreeBSD.org Subject: Re: Periodic security find pruning X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2005 21:00:37 -0000 Don Lewis wrote: > On 28 Mar, Eric Anderson wrote: > >>I have a backup server running rsnapshot which has about 10TB of used disk space attached. When the setuid security check runs, it crawls all the partitions mounted, which takes an insane amount of time, and thrashes the disks while I'm trying to send backups to them. I didn't see any way to exclude them, so I hacked the script myself. I've attached a patch to allow exclusion of mount points - please review, replace, hack, etc as needed. >> >>All you need to do is add: >>daily_status_security_chksetuid_prunemounts="" >>to /etc/defaults/periodic.conf >> >>with a list of mount points to be excluded like this: >>daily_status_security_chksetuid_prunemounts="vol backup tmp" >> >>Patch attached. > > > Why not just mount these partitions nosuid? That will cause them to be > automagically be skipped by the setuid security scan, and will prevent > the setuid bit of any executables that happen to be backed up there from > being honored. Because then I cannot create suid files, which means I cannot back them up.. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology I have seen the future and it is just like the present, only longer. ------------------------------------------------------------------------