|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: suid bit files + securing FreeBSD (new program: LockDown)
From: Socketd (db
traceroute.dk)
Date: Sun Jul 27 2003 - 06:28:47 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 27 Jul 2003 09:57:10 +1000
Peter Jeremy <PeterJeremyoptushome.com.au> wrote:
> > But what files REALLY MUST have it ?
>
> There's no simple answer to this. It's a matter of going through each
> file with setuid (or setgid) set, understanding why that file has the
> set[gu]id bit and whether you need that functionality.
Robert Watson is going through all the setuid files, to see which really
need to be setuid. In -CURRENT he has removed the setuid bit from quota.
Anyway I have been thinking about writing a program to make the default
installation (with "extreme" security) even more secure. I have attached
the configuration file, it should explain what the program can do. (not
one line of code have been written yet).
Btw setting noexec and nosuid on a mount point is a little redundante
right? I mean since the user can't execute files, there is no point in
also setting nosuid?
Best regards
Socketd
ps: Please remember that the LockDown configuration file is only version
0.1, so nothing is final.
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- application/octet-stream attachment: lockdown.conf
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]