From owner-freebsd-hackers Mon Jun 4 14:48:50 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id AA40C37B401 for ; Mon, 4 Jun 2001 14:48:38 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.3/8.11.3) with ESMTP id f54Lmal50719; Mon, 4 Jun 2001 22:48:37 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.3/8.11.3) with ESMTP id f54Lma209767; Mon, 4 Jun 2001 22:48:36 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200106042148.f54Lma209767@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Wilko Bulte Cc: Matthew Jacob , Rich Morin , hackers@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: speeding up /etc/security In-Reply-To: Message from Wilko Bulte of "Mon, 04 Jun 2001 21:19:09 +0200." <20010604211909.B1112@freebie.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 04 Jun 2001 22:48:36 +0100 From: Brian Somers Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG As you suspect, mounting nosuid makes /etc/security skip the suid checks... good for giving the security-unconscious a reason to fix their system :) I was alway quite impressed with this :) > On Mon, Jun 04, 2001 at 12:07:19PM -0700, Matthew Jacob wrote: > > Does /etc/security take filesystem mounted with: > > nosuid Do not allow set-user-identifier or set-group-identifier > bits to take effect. Note: this option is worthless if a > public available suid or sgid wrapper like suidperl(1) > is installed on your system. > > into account? If so, and the filesystems have nothing on them that > needs suid you could mount 'm this way > > Just a thought, > > Wilko > > > That's an interesting question. > > > > A couple of ideas: > > > > a) I wonder of RWatson's ACL stuff could help here? > > > > b) This problem cries for a DMAPI type solution- you could have a daemon that > > monitors all creats/chmods and retains knowledge of the filenames for all > > SUID/SGID creats/chmods- this way /etc/security would simply summarize the > > current list and could be run any time. > > > > > /etc/security takes a number of hours to run on my system. The problem > > > is that I have some very large mounted file systems and the code to look > > > for setuid files wants to walk through them all. I recoded the check in > > > Perl, but it ran at about the same speed. I have considered reworking > > > the code to do the file systems in parallel, but I thought I should ask > > > here first. Comments? Suggestions? > > > > > > -r > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > ---end of quoted text--- > > -- > | / o / / _ Arnhem, The Netherlands email: wilko@freebsd.org > |/|/ / / /( (_) Bulte Powered by FreeBSD/[alpha,x86] http://www.freebsd.org -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message