From owner-freebsd-arch  Wed Apr 24 20:18:46 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103])
	by hub.freebsd.org (Postfix) with ESMTP id 4E8BF37B41D
	for <freebsd-arch@freebsd.org>; Wed, 24 Apr 2002 20:18:41 -0700 (PDT)
Received: (from k@localhost)
	by numeri.campus.luth.se (8.11.6/8.11.6) id g3P3H5N75546
	for freebsd-arch@freebsd.org; Thu, 25 Apr 2002 05:17:05 +0200 (CEST)
	(envelope-from k)
Date: Thu, 25 Apr 2002 05:17:05 +0200
From: Johan Karlsson <k@numeri.campus.luth.se>
To: freebsd-arch@freebsd.org
Subject: Re: NOSUID and NOSUID_prog make knobs
Message-ID: <20020425051705.C73613@numeri.campus.luth.se>
References: <20020425035353.A73613@numeri.campus.luth.se> <20020424191717.A35128@dragon.nuxi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020424191717.A35128@dragon.nuxi.com>; from dev-null@NUXI.com on Wed, Apr 24, 2002 at 07:17:17PM -0700
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

In the discussion on -security I got the impression that the
granularity is wanted.

There are currently 29 suid and 14 sgid bits set it Makefile:s
that would be effected by this.
Some of them make sence to group togather e.g. lpr, ping, etc

I think it just makes more sence to provide all of them 
(some grouped) than to only have 1 knob for all of them.

/Johan K

On Wed, Apr 24, 2002 at 19:17 (-0700) +0000, David O'Brien wrote:
> On Thu, Apr 25, 2002 at 03:53:53AM +0200, Johan Karlsson wrote:
> > Basicly it protects the BINMODE assignment in the Makefile with
> > .if !defined(NOSUID) && !defined(NOSUID_prog)
> ... 
> > +# To avoid installing various parts with the setuid/setgid bit turned on
> > +#
> > +#NOSUID=	true	# no setuid bit for any of the below
> 
> Either do them all, or none.  This flag per binary does not scale, nor do
> I see any significant portion of our userbase utilizing the granularity.

-- 
Johan Karlsson		mailto:k@numeri.campus.luth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message