From owner-freebsd-hackers Sun Nov 2 11:45:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA09062 for hackers-outgoing; Sun, 2 Nov 1997 11:45:14 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from misery.sdf.com (misery.sdf.com [204.244.210.193]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id LAA09055 for ; Sun, 2 Nov 1997 11:45:06 -0800 (PST) (envelope-from tom@sdf.com) Received: from tom by misery.sdf.com with smtp (Exim 1.73 #1) id 0xS5vU-0004S5-00; Sun, 2 Nov 1997 11:43:12 -0800 Date: Sun, 2 Nov 1997 11:43:09 -0800 (PST) From: Tom To: Wolfram Schneider cc: freebsd-hackers@freebsd.org Subject: Re: Suggested addition to /etc/security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On 2 Nov 1997, Wolfram Schneider wrote: > Tom writes: > > > > echo "checking for invalid user or group ids:" > > > > find / -nouser -nogroup > > How does this check improve security? > > Also, shouldn't the security script be run under idprio? > > No. find is disk I/O bound. idprio set only the CPU scheduling priority. find is perhaps disk i/o bound, depeding on the speed of the disks and cpu. I notice here that doing just a "find . > /dev/null" rachets up the load quite nicely. More complex find options will hurt even more. Also, chewing up disk i/o bandwidth isn't a good thing either, will hurt other applications. Is it possible to run /etc/security and not have performance degraded during this period? It seems that either the CPU and/or disk bandwith will takes a big hit. > Root-Cron jobs should never started with idprio because a non-root > user process can block the jobs. This is a security risk ;-) > > -- > Wolfram Schneider http://www.apfel.de/~wosch/ > > Tom