Date: Mon, 04 Jun 2001 22:48:36 +0100 From: Brian Somers <brian@Awfulhak.org> To: Wilko Bulte <wkb@freebie.demon.nl> Cc: Matthew Jacob <mjacob@feral.com>, Rich Morin <rdm@cfcl.com>, hackers@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: speeding up /etc/security Message-ID: <200106042148.f54Lma209767@hak.lan.Awfulhak.org> In-Reply-To: Message from Wilko Bulte <wkb@freebie.demon.nl> of "Mon, 04 Jun 2001 21:19:09 %2B0200." <20010604211909.B1112@freebie.demon.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
As you suspect, mounting nosuid makes /etc/security skip the suid checks... good for giving the security-unconscious a reason to fix their system :) I was alway quite impressed with this :) > On Mon, Jun 04, 2001 at 12:07:19PM -0700, Matthew Jacob wrote: > > Does /etc/security take filesystem mounted with: > > nosuid Do not allow set-user-identifier or set-group-identifier > bits to take effect. Note: this option is worthless if a > public available suid or sgid wrapper like suidperl(1) > is installed on your system. > > into account? If so, and the filesystems have nothing on them that > needs suid you could mount 'm this way > > Just a thought, > > Wilko > > > That's an interesting question. > > > > A couple of ideas: > > > > a) I wonder of RWatson's ACL stuff could help here? > > > > b) This problem cries for a DMAPI type solution- you could have a daemon that > > monitors all creats/chmods and retains knowledge of the filenames for all > > SUID/SGID creats/chmods- this way /etc/security would simply summarize the > > current list and could be run any time. > > > > > /etc/security takes a number of hours to run on my system. The problem > > > is that I have some very large mounted file systems and the code to look > > > for setuid files wants to walk through them all. I recoded the check in > > > Perl, but it ran at about the same speed. I have considered reworking > > > the code to do the file systems in parallel, but I thought I should ask > > > here first. Comments? Suggestions? > > > > > > -r > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > ---end of quoted text--- > > -- > | / o / / _ Arnhem, The Netherlands email: wilko@freebsd.org > |/|/ / / /( (_) Bulte Powered by FreeBSD/[alpha,x86] http://www.freebsd.org -- Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org> <http://www.Awfulhak.org> <brian@[uk.]OpenBSD.org> Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106042148.f54Lma209767>