From owner-freebsd-security Thu Jul 12 13:24:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from m-net.arbornet.org (m-net.arbornet.org [209.142.209.161]) by hub.freebsd.org (Postfix) with ESMTP id 7E99137B401 for ; Thu, 12 Jul 2001 13:24:34 -0700 (PDT) (envelope-from spader@m-net.arbornet.org) Received: (from spader@localhost) by m-net.arbornet.org (8.11.4/8.11.2) id f6CKOXY02871 for security@FreeBSD.ORG; Thu, 12 Jul 2001 16:24:33 -0400 (EDT) (envelope-from spader) Date: Thu, 12 Jul 2001 16:24:33 -0400 From: "Zachary M. Smith" To: security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root PREVENTIONS Message-ID: <20010712162433.A499@arbornet.org> References: <6381A6A8826BD31199500090279CAFBA2BD50E@exchange.strategicit.net> <20010712150856.B22961@pir.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010712150856.B22961@pir.net>; from pir@pir.net on Thu, Jul 12, 2001 at 03:08:56PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable something we do at Arbornet (m-net.arbornet.org) is move all binaries that require setuid to /bin/suid and link them back to their respective places. we also use chflags to set schg uchg on all the suid binaries as well as mounting /bin/suid read-only. by the way, we offer free shells on this machine (running 4.3-STABLE) if any one cares to take a look. login to m-net.arbornet.org as 'newuser' /dev/da0s1a on / (ufs, local, nosuid) /dev/da0s1g on /bin/suid (ufs, local, read-only) /dev/da0s2e on /home (ufs, local, nosuid, with quotas) /dev/da0s3h on /root (ufs, local, nosuid) /dev/ad2f on /tmp (ufs, local, nosuid) /dev/da0s3e on /usr (ufs, local, nosuid) /dev/da0s3g on /usr/bbs (ufs, local, nosuid) /dev/da0s3f on /usr/local (ufs, local, nosuid) /dev/da0s1e on /var (ufs, local, nosuid) /dev/da0s1f on /var/mail (ufs, local, nosuid, with quotas) /dev/ad2g on /usr/obj (ufs, local, nosuid) On Thu, Jul 12, 2001 at 03:08:56PM -0400, Peter Radcliffe wrote: > "Portwood, Jason" probably said: > > Wouldn't it be a better practice to just mount all the partitions that = don't > > need suid as nosuid? Just off the top of my head those candidates would > > be =20 > >=20 > > /tmp > > /home > > /var > >=20 > > Is there a good reason for not doing this? >=20 > I've been doing this for some time. I also mount everything but / > nodev. Doesn't seem to hurt anything I use. >=20 > P. >=20 > --=20 > pir pir@pir.net pir@net.tufts.edu >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Zach Smith +-------------------+ | UNIX Nerd | | & | | Professional Geek | +-------------------+ spader@arbornet.org GPG: EB0C 89F5 697E FDD5 3AD4 2ADE 33A1 5A5E 50B7 1FA0 PGP: 9F 67 72 95 8D 15 2D DC 19 D8 23 75 60 61 CE 0D --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjtOB4AACgkQM6FaXlC3H6C28gCdHODK3US/YjwgPHiH0UmmO0tL AWQAmgI9tXlUuSECX4XuruYZytyMoMmR =/Fw8 -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message