The /etc/security script, when called from cron, keeps thrashing all my
disks when searching for changes in setuid/setgid files and devices -
It doesn't care about filesystems mounted with the nosuid and nodev flags,
or filesystems unable to do setuid executables or devices at all
(like CDs without RockRidge extensions or FAT partitions). This is
useless and painful.
Is there a better solution instead of this kludge ?
I think of something that would make statfs(2) usable from the shell,
just as stat(1) does for stat(2).
--- /usr/src/etc/security Tue Oct 31 03:38:22 2006
+++ /etc/security Sun Mar 25 02:08:00 2007
@@ -456,9 +456,11 @@
fi
# Display any changes in setuid/setgid files and devices.
+nosude=`mount | awk '/nodev, nosuid/{print "-o -path "$3" "}'`
pending="\nChecking setuid/setgid files and devices:\n"
(find / \( ! -fstype local \
- -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \
+ -o -fstype procfs -o -fstype afs -o -fstype xfs $nosude \) \
+ -a -prune -o \
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \
-print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
