From owner-freebsd-arch Wed Apr 24 19:22:36 2002 Delivered-To: freebsd-arch@freebsd.org Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103]) by hub.freebsd.org (Postfix) with ESMTP id 5984237B41A; Wed, 24 Apr 2002 19:22:09 -0700 (PDT) Received: (from k@localhost) by numeri.campus.luth.se (8.11.6/8.11.6) id g3P2KS674570; Thu, 25 Apr 2002 04:20:28 +0200 (CEST) (envelope-from k) Date: Thu, 25 Apr 2002 04:20:28 +0200 From: Johan Karlsson To: Robert Watson Cc: freebsd-arch@freebsd.org Subject: Re: NOSUID and NOSUID_prog make knobs Message-ID: <20020425042028.B73613@numeri.campus.luth.se> References: <20020425035353.A73613@numeri.campus.luth.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@freebsd.org on Wed, Apr 24, 2002 at 10:06:18PM -0400 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi this patch was just to demostrate the concept it is by no means a compleate patch. I know that ps is not suid already, but since the BINMODE line only is commented out I made the change. /Johan K On Wed, Apr 24, 2002 at 22:06 (-0400) +0000, Robert Watson wrote: > Seems like a basically good idea. However, 'ps' should already not be > setgid in -CURRENT, and you appear to have missed some setgid monitoring > tools that do actually exist. The style weenies may have something to say > about variable naming, but this seems like a good thing to do. I have > some custom local hacks that do much the same, actually, but in a less > finished way. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > > On Thu, 25 Apr 2002, Johan Karlsson wrote: > > > [bcc -security since the discussion started there ] > > > > Hi all, > > > > recently a discussion about removing the setuid bit popup again > > http://docs.FreeBSD.org/cgi/getmsg.cgi?fetch=166393+0+current/freebsd-security > > > > Jason noted that it had been discussed before and also that > > introducing a make knob to disable installation of > > various programs with the setuid bit turned on had been proposed. > > > > I have started to implement this and would like to know > > what you think of the concept. > > > > Attached is an untested diff for some suid/sgid programs. > > > > Basicly it protects the BINMODE assignment in the Makefile with > > .if !defined(NOSUID) && !defined(NOSUID_prog) > > > > I have also made changes to make.conf.5 and examples/etc/make.conf > > to reflect the new knobs. > > > > Please have a look at the attached diff and let me know what you think. > > > > If there is interest and some commiter would consider to commit > > something along those lines I'm willing to make a diff for most > > of the suid/sgid programs we have in the tree. > > > > /Johan K > > -- > > Johan Karlsson mailto:k@numeri.campus.luth.se > > -- Johan Karlsson mailto:k@numeri.campus.luth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message