Date: Thu, 12 Jul 2001 16:24:33 -0400 From: "Zachary M. Smith" <spader@arbornet.org> To: security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root PREVENTIONS Message-ID: <20010712162433.A499@arbornet.org> In-Reply-To: <20010712150856.B22961@pir.net>; from pir@pir.net on Thu, Jul 12, 2001 at 03:08:56PM -0400 References: <6381A6A8826BD31199500090279CAFBA2BD50E@exchange.strategicit.net> <20010712150856.B22961@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable something we do at Arbornet (m-net.arbornet.org) is move all binaries that require setuid to /bin/suid and link them back to their respective places. we also use chflags to set schg uchg on all the suid binaries as well as mounting /bin/suid read-only. by the way, we offer free shells on this machine (running 4.3-STABLE) if any one cares to take a look. login to m-net.arbornet.org as 'newuser' /dev/da0s1a on / (ufs, local, nosuid) /dev/da0s1g on /bin/suid (ufs, local, read-only) /dev/da0s2e on /home (ufs, local, nosuid, with quotas) /dev/da0s3h on /root (ufs, local, nosuid) /dev/ad2f on /tmp (ufs, local, nosuid) /dev/da0s3e on /usr (ufs, local, nosuid) /dev/da0s3g on /usr/bbs (ufs, local, nosuid) /dev/da0s3f on /usr/local (ufs, local, nosuid) /dev/da0s1e on /var (ufs, local, nosuid) /dev/da0s1f on /var/mail (ufs, local, nosuid, with quotas) /dev/ad2g on /usr/obj (ufs, local, nosuid) On Thu, Jul 12, 2001 at 03:08:56PM -0400, Peter Radcliffe wrote: > "Portwood, Jason" <JPortwood@strategicit.net> probably said: > > Wouldn't it be a better practice to just mount all the partitions that = don't > > need suid as nosuid? Just off the top of my head those candidates would > > be =20 > >=20 > > /tmp > > /home > > /var > >=20 > > Is there a good reason for not doing this? >=20 > I've been doing this for some time. I also mount everything but / > nodev. Doesn't seem to hurt anything I use. >=20 > P. >=20 > --=20 > pir pir@pir.net pir@net.tufts.edu >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Zach Smith +-------------------+ | UNIX Nerd | | & | | Professional Geek | +-------------------+ spader@arbornet.org GPG: EB0C 89F5 697E FDD5 3AD4 2ADE 33A1 5A5E 50B7 1FA0 PGP: 9F 67 72 95 8D 15 2D DC 19 D8 23 75 60 61 CE 0D --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjtOB4AACgkQM6FaXlC3H6C28gCdHODK3US/YjwgPHiH0UmmO0tL AWQAmgI9tXlUuSECX4XuruYZytyMoMmR =/Fw8 -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712162433.A499>