From owner-freebsd-security Thu Mar 28 20:37:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 13DC837B417; Thu, 28 Mar 2002 20:37:14 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329043712.OEIP2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 04:37:12 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2T4b6p68808; Thu, 28 Mar 2002 20:37:06 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 20:37:06 -0800 From: "Crist J. Clark" To: Gregory Neil Shapiro Cc: Jason Stone , security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328203706.N97841@blossom.cjclark.org> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <15523.53653.441767.36231@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15523.53653.441767.36231@horsey.gshapiro.net>; from gshapiro@FreeBSD.ORG on Thu, Mar 28, 2002 at 06:29:41PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 06:29:41PM -0800, Gregory Neil Shapiro wrote: > >> > Are there make variables that can be set to prevent "make world" from > >> > installing binaries as setuid? > > An alternative is to let buildworld (and any other ports) install things > properly but mount all of your file systems `nosuid'. I do this on > partitions that shouldn't have set-user-ID binaries anyway: > > /dev/ad0s1a / ufs rw,userquota,groupquota 1 1 > /dev/ad0s1b none swap sw 0 0 > /dev/ad0s1e /var ufs rw,userquota,groupquota,nodev,nosuid 2 2 > /dev/ad0s1f /tmp ufs rw,userquota,groupquota,nodev,nosuid 0 2 > /dev/ad0s1g /usr ufs rw,userquota,groupquota,nodev 2 2 > /dev/ad0s1h /home ufs rw,userquota,groupquota,nodev,nosuid 2 2 > /dev/cd0c /cdrom cd9660 ro,noauto,nodev,nosuid 0 0 > proc /proc procfs rw 0 0 Yeah, I thought of that right after I sent the mail. I don't see any need for a switch to turn off all setuid's when this simple, and safer, solution is available. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message