Re: Re[2]: CD installation and file flags
Alex Renn [EMAIL PROTECTED] writes: Hello Lowell Gilbert! Hello! [Don't top-post, please.] SUID/SGID files in my default installation do not have any flags set: $ uname -a FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 $ ls -alo `which su` -r-sr-xr-x 1 root wheel - 11992 Nov 3 08:11 /usr/bin/su That's why I'm asking about this. I think there should be some flags set by default. Hmm, yes. The distribution tar files don't seem to have flags set. The tar documentation claims that it can handle file flags, but I've never tried it (the Gnu tar, which FreeBSD used until fairly recently, does not). From a quick look, the missing flags seem to be an artifact of the packaging process. Sorry about missing that earlier; flags are set on suid files by the source build/install process, and I haven't done a new install in a long time. If you source-upgrade the system, you'll get the flags set. However, if you are interested in this as a security measure, I recommend setting up your own mtree(1) specification to set the flags that *you* want. That will also allow you to use that same specification to check that the flags have remained the way you want them set. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: CD installation and file flags
Hello Lowell Gilbert! SUID/SGID files in my default installation do not have any flags set: $ uname -a FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 $ ls -alo `which su` -r-sr-xr-x 1 root wheel - 11992 Nov 3 08:11 /usr/bin/su That's why I'm asking about this. I think there should be some flags set by default. [ End of message ] Best Regards, Alex Renn [EMAIL PROTECTED] ===[ Original Message ]=== From: Lowell Gilbert [EMAIL PROTECTED] To: Alex Renn [EMAIL PROTECTED] Subject: CD installation and file flags Date: 10.02.2006 20:56 Alex Renn [EMAIL PROTECTED] writes: I installed FreeBSD 6.0 from CD and noticed that file flags were not applied by default to /boot, /bin, /sbin. Right. suid files get the flags, but nothing else. I set kernel_securelevel to 3 but it does not help a lot while there are no schg flags on system files. File flags are enforced at a securelevel of 1. If they are all you care about, then there's no reason to add the filesystem mounting, clock, and firewall restrictions of levels 2 and 3. Is there any script to set proper flags for all files in the default installation? There is not widespread agreement on the definition of proper in that sentence. Once you have a precise idea of what you think it should be, writing a script for your particular needs will be trivial. Be well. ===[ End of Original Message ]=== ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: CD installation and file flags
Alex Renn [EMAIL PROTECTED] writes: I installed FreeBSD 6.0 from CD and noticed that file flags were not applied by default to /boot, /bin, /sbin. Right. suid files get the flags, but nothing else. I set kernel_securelevel to 3 but it does not help a lot while there are no schg flags on system files. File flags are enforced at a securelevel of 1. If they are all you care about, then there's no reason to add the filesystem mounting, clock, and firewall restrictions of levels 2 and 3. Is there any script to set proper flags for all files in the default installation? There is not widespread agreement on the definition of proper in that sentence. Once you have a precise idea of what you think it should be, writing a script for your particular needs will be trivial. Be well. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CD installation and file flags
Hello all! I installed FreeBSD 6.0 from CD and noticed that file flags were not applied by default to /boot, /bin, /sbin. I set kernel_securelevel to 3 but it does not help a lot while there are no schg flags on system files. Is there any script to set proper flags for all files in the default installation? ===[ End of message ]=== Best Regards, Alex Renn [EMAIL PROTECTED] ---[ Nothing is random, just uncertain. ]--- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
