From owner-freebsd-security Fri Mar 29 11: 7:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable044.179-200-24.timi.mc.videotron.ca [24.200.179.44]) by hub.freebsd.org (Postfix) with ESMTP id CB45B37B400 for ; Fri, 29 Mar 2002 11:07:25 -0800 (PST) Received: from videotron.ca (silence [24.200.179.44]) by oksala.org (8.11.6/8.11.1) with ESMTP id g2TJ5nP56727; Fri, 29 Mar 2002 14:05:49 -0500 (EST) (envelope-from oksala@videotron.ca) Message-ID: <3CA4BB08.CB9E9275@videotron.ca> Date: Fri, 29 Mar 2002 14:05:44 -0500 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Organization: www.oksala.org X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits References: <20020328043119.V5333-100000@walter> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jason Stone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Are there make variables that can be set to prevent "make world" from > installing binaries as setuid? Currently, I always run something like > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > seems inelegant, prone to human error, and dangerous as there's a > (potentially quite long) period in which there are still many setuid > binaries.... > > make options to allow the prevention of "setuid root", "all setuid", > or "all setuid and all setgid" would be nice. > > -Jason You can mount your filesystem whith the "nosuid" option. I think it's exactly what your are looking for. I'm using it in a jailed environment but i've never did it on my / fs. see by yourself: man mount. hope it helps To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message