Date: Thu, 25 Apr 2002 04:20:28 +0200 From: Johan Karlsson <k@numeri.campus.luth.se> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-arch@freebsd.org Subject: Re: NOSUID and NOSUID_prog make knobs Message-ID: <20020425042028.B73613@numeri.campus.luth.se> In-Reply-To: <Pine.NEB.3.96L.1020424220527.91313M-100000@fledge.watson.org>; from rwatson@freebsd.org on Wed, Apr 24, 2002 at 10:06:18PM -0400 References: <20020425035353.A73613@numeri.campus.luth.se> <Pine.NEB.3.96L.1020424220527.91313M-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi this patch was just to demostrate the concept it is by no means a compleate patch. I know that ps is not suid already, but since the BINMODE line only is commented out I made the change. /Johan K On Wed, Apr 24, 2002 at 22:06 (-0400) +0000, Robert Watson wrote: > Seems like a basically good idea. However, 'ps' should already not be > setgid in -CURRENT, and you appear to have missed some setgid monitoring > tools that do actually exist. The style weenies may have something to say > about variable naming, but this seems like a good thing to do. I have > some custom local hacks that do much the same, actually, but in a less > finished way. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > > On Thu, 25 Apr 2002, Johan Karlsson wrote: > > > [bcc -security since the discussion started there ] > > > > Hi all, > > > > recently a discussion about removing the setuid bit popup again > > http://docs.FreeBSD.org/cgi/getmsg.cgi?fetch=166393+0+current/freebsd-security > > > > Jason noted that it had been discussed before and also that > > introducing a make knob to disable installation of > > various programs with the setuid bit turned on had been proposed. > > > > I have started to implement this and would like to know > > what you think of the concept. > > > > Attached is an untested diff for some suid/sgid programs. > > > > Basicly it protects the BINMODE assignment in the Makefile with > > .if !defined(NOSUID) && !defined(NOSUID_prog) > > > > I have also made changes to make.conf.5 and examples/etc/make.conf > > to reflect the new knobs. > > > > Please have a look at the attached diff and let me know what you think. > > > > If there is interest and some commiter would consider to commit > > something along those lines I'm willing to make a diff for most > > of the suid/sgid programs we have in the tree. > > > > /Johan K > > -- > > Johan Karlsson mailto:k@numeri.campus.luth.se > > -- Johan Karlsson mailto:k@numeri.campus.luth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020425042028.B73613>