From owner-cvs-src@FreeBSD.ORG Thu Jan 13 19:08:03 2005 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2816516A4CE; Thu, 13 Jan 2005 19:08:03 +0000 (GMT) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA30643D54; Thu, 13 Jan 2005 19:08:00 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])j0DJ7w4a028232; Thu, 13 Jan 2005 21:07:59 +0200 Received: by orion.daedalusnetworks.priv (Postfix, from userid 1001) id 87C552A44F; Thu, 13 Jan 2005 21:07:55 +0200 (EET) Date: Thu, 13 Jan 2005 21:07:55 +0200 From: Giorgos Keramidas To: Ceri Davies , Don Lewis , glebius@FreeBSD.org, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Message-ID: <20050113190755.GA24939@orion.daedalusnetworks.priv> References: <20050113153228.GG49329@submonkey.net> <200501131849.j0DInEEE029957@gw.catspoiler.org> <20050113185323.GI49329@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050113185323.GI49329@submonkey.net> Subject: Re: cvs commit: src/etc/periodic/security 100.chksetuid X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 19:08:03 -0000 On 2005-01-13 18:53, Ceri Davies wrote: >On Thu, Jan 13, 2005 at 10:49:14AM -0800, Don Lewis wrote: >>On 13 Jan, Ceri Davies wrote: >>>On Thu, Jan 13, 2005 at 06:28:26PM +0300, Gleb Smirnoff wrote: >>>>On Thu, Jan 13, 2005 at 03:24:30PM +0000, Ceri Davies wrote: >>>>> Umm, why not? If setuid binaries appear anywhere on my system then I'd >>>>> like to continue to be told so that I can be confident of where they >>>>> came from. I don't care if they pose an immediate threat or not. >>>> >>>> In this case "grep -v nosuid" must be removed, too, to be consistent. >>>> >>>> P.S. We have "grep -v nosuid" from the very beginning. >>> >>> Hmm. I retract my objection then, whilst retaining my reservations. >> >> I did something like this locally way back in the 2.1.x days. Running >> suid checks on the news spool, the squid cache, the CD-ROM changer >> (causing it to sometimes lock up), and a bunch of NFS clients >> simultaneously doing suid checks on the same NFS server got to be a >> drag. > > Sounds like something like chksetuid_exclude which lists mountpoints to > exclude might be in order. Any objections to me putting that together, > or are people happy with the status quo? It's not a bad idea. While you're at it, a knob that disables checks for NFS-mounted filesystems may be nice too. It doesn't make sense to check the same files both in the client *and* the server, as Don has pointed out. I think I can almost see this coming :-) daily_status_security_chksetuid_nfs="NO" - Giorgos