From owner-freebsd-questions@FreeBSD.ORG Sun Oct 26 06:10:18 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B74816A4B3 for ; Sun, 26 Oct 2003 06:10:18 -0800 (PST) Received: from pimout5-ext.prodigy.net (pimout5-ext.prodigy.net [207.115.63.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0677343F85 for ; Sun, 26 Oct 2003 06:10:17 -0800 (PST) (envelope-from waif@ntropolis.com) Received: from squire (adsl-68-74-197-83.dsl.milwwi.ameritech.net [68.74.197.83])h9QEAF7x225210 for ; Sun, 26 Oct 2003 10:10:16 -0400 From: "Jim" To: Date: Sun, 26 Oct 2003 08:10:15 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: SUID /usr/bin/rsh on Stable 4.8 after installworld X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2003 14:10:18 -0000 I am very new to FreeBSD, so I know there is a simple answer to this: I have installed FreeBSD 4.8 Stable on a machine. The installation always runs like silk. I then begin locking down some of the machine's conf files, shut down unecessary daemons, etc. This includes setting permissions on unused suid/sgid binaries to 000. This process always works fine, and even after reboot, the binaries I have reduced permissions on stay reduced. At some point in this process however, I get to cvsup, buildworld, and installworld. This process re-enables the old permissions on the files I so diligently locked down. I would expect there is a flag or include/exclude file somewhere I need to lookup to prevent cvsup from doing this in the first place, but like I said, I'm new. The problem I need help with though, is the fact that I cannot chmod 000 certain binaries after this process (for example: /usr/bin/rsh, /usr/bin/yppasswd, /usr/bin/ypchfn, etc.). The following occurs: # chmod 000 /usr/bin/rsh chmod: /usr/bin/rsh: Operation not permitted A listing of the file: # ll /usr/bin/rsh -r-sr-xr-x 1 root wheel 7980 Oct 26 07:36 /usr/bin/rsh I am logged in as root on the console. My cvs-supfile is very basic: *default host=cvsup8.FreeBSD.org *default base=/usr *default prefix=/usr *default release=cvs *default compress src-all tag=RELENG_4_8 ports-all tag=. What changes during installworld that prevents me from shutting these down again? If anyone needs more information, just let me know what you're looking for. Jim