Excluding File Systems from 100.chksetuid and 110.neggrpperm
tjg at ucsc.edu
Fri Jun 2 19:33:37 UTC 2017
> That thread mentions this posting which contains responses as to why it
> likely was never pursued further:
Sorry, I think I'm missing something. I don't see anything in that
thread that suggests why it wouldn't be implemented. There's some
chatter about not excluding all ZFS filesystems, but I'm not asking
about that. I'm asking about excluding individual filesystems. In
the original post I shared, the suggested patch included the ability
to exclude by mount point, rather than by file system type. My
desired settings would be:
As these are just NFS servers, users never log into them and can't run
processes on them. I could mount them locally with nosuid and noexec
but then it's not clear to me how that would affect NFS clients that
mount these file systems, but I think setting nosuid and noexec on the
server wouldn't have any effect on the NFS clients.
Also, there are certainly legitimate suid and non-suid binaries in
those file systems that need to be run on the clients that mount them.
I suppose if these processes should really run for security purposes,
it would be better to have them run on a particular day. For example,
having them start late on Friday night or very early Saturday morning
would avoid our heaviest workload periods. But that also seems to not
be an option, unless there is something fancy I can do in
periodic.conf that's not immediately apparent to me, or by hacking
files in /etc/periodic, which I'd rather not do if I can avoid it.
BSOE Computing Director
tjg at ucsc.edu
Baskin Engineering, Room 313A
To request BSOE IT support, please visit https://support.soe.ucsc.edu/
or send e-mail to help at soe.ucsc.edu.
More information about the freebsd-questions