On Thu, 4 Dec 2003, Gino Thomas wrote: > > I asked some ppl the same question, answers vary. On one hand some ppl > trust the suids and claim that messing up with them will open new > problems and that there are also many other ways to get root (kernel, > libc, daemons,...) on the other hand ppl agreed with me that if i don't > need uucp, why should it be on my box anyway (and that suid or sgid). > As said, i disabled all suids except 'su', so a user can't use > 'netstat', 'ping' or even 'man' anymore, but i do not want that on a > bastion host anyway, eh? Mounting whats left on a separate partition > seems to be as logical as doing that for /home, /tmp,... > > I would like to see a detailed discussion about this, too. >
The thing that screams "bad idea" or at least "inconvienient pain in the neck" to me is that, on the off chance that a wide-spread exploit is found and you have to "make world" or whatever, it puts them right back and you have to do it again. Of course, I'm a perl scripter, so by definition I'm lazy[0] ;) -C [0]Larry Wall said it, not me. <g> "Why would burgulars need to look for a backdoor when they can climb in through Windows?" --Norman L DeForest, in NANAE "You know how dumb the average luser is? Well, half of 'em are dumber than that" -- The Roadie, in NANAE _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
