cvs commit: src/etc/periodic/security 100.chksetuid
Ceri Davies
ceri at submonkey.net
Thu Jan 13 10:53:26 PST 2005
On Thu, Jan 13, 2005 at 10:49:14AM -0800, Don Lewis wrote:
> On 13 Jan, Ceri Davies wrote:
> > On Thu, Jan 13, 2005 at 06:28:26PM +0300, Gleb Smirnoff wrote:
> >> On Thu, Jan 13, 2005 at 03:24:30PM +0000, Ceri Davies wrote:
> >> C> Umm, why not? If setuid binaries appear anywhere on my system then I'd
> >> C> like to continue to be told so that I can be confident of where they
> >> C> came from. I don't care if they pose an immediate threat or not.
> >>
> >> In this case "grep -v nosuid" must be removed, too, to be consistent.
> >>
> >> P.S. We have "grep -v nosuid" from the very beginning.
> >
> > Hmm. I retract my objection then, whilst retaining my reservations.
>
> I did something like this locally way back in the 2.1.x days. Running
> suid checks on the news spool, the squid cache, the CD-ROM changer
> (causing it to sometimes lock up), and a bunch of NFS clients
> simultaneously doing suid checks on the same NFS server got to be a
> drag.
Sounds like something like chksetuid_exclude which lists mountpoints to
exclude might be in order. Any objections to me putting that together,
or are people happy with the status quo?
Ceri
--
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former. -- Einstein (attrib.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20050113/15ec2ed5/attachment.bin
More information about the cvs-all
mailing list