[Trimmed cc-list] Mike Williams writes: > IHAC that is having to answer to their computer security group regarding > the use of "suid" files in Solaris 10. > Seems they are asking if "suid" can be removed from the various Solaris > files systems to remove what they think may be a potential security > risk. They also noticed that the use of the Veritas File System (VxFS) > does the same (output below)
Files or file systems? For individual files that Sun ships, Sun's engineers deliberately choose to set the 'setuid' bit when it is necessary to do so. It doesn't happen just "by accident," and the customer can't just remove the bits from random files and hope that everything will still work any more than he can overwrite executables with new bits and expect support. Instead, the options are either (a) file a bug against the things you believe incorrectly use setuid powers or (b) get involved in opensolaris.org where you can participate in the design decisions that lead up to these choices and contribute actual changes to the system. For the file system mount flags, this sounds like it could be a valid complaint for (at least) the installer, and then only for the particular famous mount points it can create. I suggest filing a bug. (Though perhaps it's really an RFE ...) > /usr/local on /dev/md/dsk/d5 > read/write/setuid/intr/largefiles/logging/xattr/onerror=panic/dev=154000 That doesn't come with Solaris. You've presumably added this entry yourself. It's (thus) your choice whether you include "nosuid" among the mount options in /etc/vfstab. I don't see how Sun can specify the mount options for things that we haven't deliberately designed and that aren't part of Solaris. The standard mount options are visible in mount(1M) and the fs-specific mount page (such as mount_ufs(1M)); choose the ones you need. > Data file systems (on: veritas ) has same flag too. I will ask this > question to Veritas too. But it is kind of over lapping I wanted to know > OS side opion on it. If these are vfstab entries, same answer. If these are things that some Veritas utility mounts -- something that doesn't come from Sun -- then ask Veritas. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
