Re: speeding up /etc/security

Mon, 04 Jun 2001 14:26:37 -0700 

As you suspect, mounting nosuid makes /etc/security skip the 
suid checks... good for giving the security-unconscious a reason 
to fix their system :)

I was alway quite impressed with this :)

> On Mon, Jun 04, 2001 at 12:07:19PM -0700, Matthew Jacob wrote:
> 
> Does /etc/security take filesystem mounted with:
> 
>  nosuid  Do not allow set-user-identifier or set-group-identifier
>          bits to take effect.  Note: this option is worthless if a
>          public available suid or sgid wrapper like suidperl(1)
>          is installed on your system.
> 
> into account? If so, and the filesystems have nothing on them that
> needs suid you could mount 'm this way
> 
> Just a thought,
> 
> Wilko
> 
> > That's an interesting question.
> > 
> > A couple of ideas:
> > 
> > a) I wonder of RWatson's ACL stuff could help here?
> > 
> > b) This problem cries for a DMAPI type solution- you could have a daemon that
> > monitors all creats/chmods and retains knowledge of the filenames for all
> > SUID/SGID creats/chmods- this way /etc/security would simply summarize the
> > current list and could be run any time.
> > 
> > > /etc/security takes a number of hours to run on my system.  The problem
> > > is that I have some very large mounted file systems and the code to look
> > > for setuid files wants to walk through them all.  I recoded the check in
> > > Perl, but it ran at about the same speed.  I have considered reworking
> > > the code to do the file systems in parallel, but I thought I should ask
> > > here first.  Comments?  Suggestions?
> > > 
> > > -r
> > > 
> > 
> > 
> > 
> > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > with "unsubscribe freebsd-hackers" in the body of the message
> ---end of quoted text---
> 
> -- 
> |   / o / /  _         Arnhem, The Netherlands        email: [EMAIL PROTECTED]
> |/|/ / / /( (_) Bulte  Powered by FreeBSD/[alpha,x86] http://www.freebsd.org  

-- 
Brian <[EMAIL PROTECTED]>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to