From owner-freebsd-security  Thu Mar 28 18:29:47 2002
Delivered-To: freebsd-security@freebsd.org
Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178])
	by hub.freebsd.org (Postfix) with ESMTP id A0C9637B41D
	for <security@FreeBSD.ORG>; Thu, 28 Mar 2002 18:29:42 -0800 (PST)
Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1])
	by horsey.gshapiro.net (8.12.3.Beta2/8.12.3.Beta2) with ESMTP id g2T2TfGd048810
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Thu, 28 Mar 2002 18:29:42 -0800 (PST)
Received: (from gshapiro@localhost)
	by horsey.gshapiro.net (8.12.3.Beta2/8.12.3.Beta2/Submit) id g2T2Tfav048807;
	Thu, 28 Mar 2002 18:29:41 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15523.53653.441767.36231@horsey.gshapiro.net>
Date: Thu, 28 Mar 2002 18:29:41 -0800
From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To: Jason Stone <jason-fbsd-security@shalott.net>
Cc: <security@FreeBSD.ORG>
Subject: Re: make world and setuid bits
In-Reply-To: <20020328161518.R5333-100000@walter>
References: <20020328121850.D97841@blossom.cjclark.org>
	<20020328161518.R5333-100000@walter>
X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

>> > Are there make variables that can be set to prevent "make world" from
>> > installing binaries as setuid?

An alternative is to let buildworld (and any other ports) install things
properly but mount all of your file systems `nosuid'.  I do this on
partitions that shouldn't have set-user-ID binaries anyway:

/dev/ad0s1a	/	ufs	rw,userquota,groupquota			1 1
/dev/ad0s1b	none	swap	sw					0 0
/dev/ad0s1e	/var	ufs	rw,userquota,groupquota,nodev,nosuid	2 2
/dev/ad0s1f	/tmp	ufs	rw,userquota,groupquota,nodev,nosuid	0 2
/dev/ad0s1g	/usr	ufs	rw,userquota,groupquota,nodev		2 2
/dev/ad0s1h	/home	ufs	rw,userquota,groupquota,nodev,nosuid	2 2
/dev/cd0c	/cdrom	cd9660	ro,noauto,nodev,nosuid			0 0
proc		/proc	procfs	rw					0 0

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message