From owner-freebsd-hackers  Mon Jun  4 12:13:16 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20])
	by hub.freebsd.org (Postfix) with ESMTP id 175FD37B403
	for <hackers@freebsd.org>; Mon,  4 Jun 2001 12:13:13 -0700 (PDT)
	(envelope-from wkb@freebie.demon.nl)
Received: from [212.238.54.101] (helo=freebie.demon.nl)
	by post.mail.nl.demon.net with smtp (Exim 3.22 #1)
	id 156zmp-0002oe-00; Mon, 04 Jun 2001 19:13:11 +0000
Received: (from wkb@localhost)
	by freebie.demon.nl (8.11.3/8.11.2) id f54JJ9l01154;
	Mon, 4 Jun 2001 21:19:09 +0200 (CEST)
	(envelope-from wkb)
Date: Mon, 4 Jun 2001 21:19:09 +0200
From: Wilko Bulte <wkb@freebie.demon.nl>
To: Matthew Jacob <mjacob@feral.com>
Cc: Rich Morin <rdm@cfcl.com>, hackers@freebsd.org
Subject: Re: speeding up /etc/security
Message-ID: <20010604211909.B1112@freebie.demon.nl>
References: <p05100300b741879b7bc3@[192.168.168.205]> <Pine.LNX.4.21.0106041205070.3177-100000@zeppo.feral.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <Pine.LNX.4.21.0106041205070.3177-100000@zeppo.feral.com>; from mjacob@feral.com on Mon, Jun 04, 2001 at 12:07:19PM -0700
X-OS: FreeBSD 4.3-STABLE
X-PGP: finger wilko@freebsd.org
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Mon, Jun 04, 2001 at 12:07:19PM -0700, Matthew Jacob wrote:

Does /etc/security take filesystem mounted with:

 nosuid  Do not allow set-user-identifier or set-group-identifier
         bits to take effect.  Note: this option is worthless if a
         public available suid or sgid wrapper like suidperl(1)
         is installed on your system.

into account? If so, and the filesystems have nothing on them that
needs suid you could mount 'm this way

Just a thought,

Wilko

> That's an interesting question.
> 
> A couple of ideas:
> 
> a) I wonder of RWatson's ACL stuff could help here?
> 
> b) This problem cries for a DMAPI type solution- you could have a daemon that
> monitors all creats/chmods and retains knowledge of the filenames for all
> SUID/SGID creats/chmods- this way /etc/security would simply summarize the
> current list and could be run any time.
> 
> > /etc/security takes a number of hours to run on my system.  The problem
> > is that I have some very large mounted file systems and the code to look
> > for setuid files wants to walk through them all.  I recoded the check in
> > Perl, but it ran at about the same speed.  I have considered reworking
> > the code to do the file systems in parallel, but I thought I should ask
> > here first.  Comments?  Suggestions?
> > 
> > -r
> > 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
---end of quoted text---

-- 
|   / o / /  _  	 Arnhem, The Netherlands    	email: wilko@freebsd.org
|/|/ / / /( (_) Bulte	 Powered by FreeBSD/[alpha,x86]	http://www.freebsd.org 	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message