Date: Thu, 28 Mar 2002 20:37:06 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> Cc: Jason Stone <jason-fbsd-security@shalott.net>, security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328203706.N97841@blossom.cjclark.org> In-Reply-To: <15523.53653.441767.36231@horsey.gshapiro.net>; from gshapiro@FreeBSD.ORG on Thu, Mar 28, 2002 at 06:29:41PM -0800 References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <15523.53653.441767.36231@horsey.gshapiro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2002 at 06:29:41PM -0800, Gregory Neil Shapiro wrote:
> >> > Are there make variables that can be set to prevent "make world" from
> >> > installing binaries as setuid?
>
> An alternative is to let buildworld (and any other ports) install things
> properly but mount all of your file systems `nosuid'. I do this on
> partitions that shouldn't have set-user-ID binaries anyway:
>
> /dev/ad0s1a / ufs rw,userquota,groupquota 1 1
> /dev/ad0s1b none swap sw 0 0
> /dev/ad0s1e /var ufs rw,userquota,groupquota,nodev,nosuid 2 2
> /dev/ad0s1f /tmp ufs rw,userquota,groupquota,nodev,nosuid 0 2
> /dev/ad0s1g /usr ufs rw,userquota,groupquota,nodev 2 2
> /dev/ad0s1h /home ufs rw,userquota,groupquota,nodev,nosuid 2 2
> /dev/cd0c /cdrom cd9660 ro,noauto,nodev,nosuid 0 0
> proc /proc procfs rw 0 0
Yeah, I thought of that right after I sent the mail.
I don't see any need for a switch to turn off all setuid's when this
simple, and safer, solution is available.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328203706.N97841>