Date: Wed, 24 Apr 2002 22:06:18 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Johan Karlsson <k@numeri.campus.luth.se> Cc: freebsd-arch@FreeBSD.ORG Subject: Re: NOSUID and NOSUID_prog make knobs Message-ID: <Pine.NEB.3.96L.1020424220527.91313M-100000@fledge.watson.org> In-Reply-To: <20020425035353.A73613@numeri.campus.luth.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Seems like a basically good idea. However, 'ps' should already not be setgid in -CURRENT, and you appear to have missed some setgid monitoring tools that do actually exist. The style weenies may have something to say about variable naming, but this seems like a good thing to do. I have some custom local hacks that do much the same, actually, but in a less finished way. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Thu, 25 Apr 2002, Johan Karlsson wrote: > [bcc -security since the discussion started there ] > > Hi all, > > recently a discussion about removing the setuid bit popup again > http://docs.FreeBSD.org/cgi/getmsg.cgi?fetch=166393+0+current/freebsd-security > > Jason noted that it had been discussed before and also that > introducing a make knob to disable installation of > various programs with the setuid bit turned on had been proposed. > > I have started to implement this and would like to know > what you think of the concept. > > Attached is an untested diff for some suid/sgid programs. > > Basicly it protects the BINMODE assignment in the Makefile with > .if !defined(NOSUID) && !defined(NOSUID_prog) > > I have also made changes to make.conf.5 and examples/etc/make.conf > to reflect the new knobs. > > Please have a look at the attached diff and let me know what you think. > > If there is interest and some commiter would consider to commit > something along those lines I'm willing to make a diff for most > of the suid/sgid programs we have in the tree. > > /Johan K > -- > Johan Karlsson mailto:k@numeri.campus.luth.se > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020424220527.91313M-100000>