Thomas T?rnblom wrote: > Mike Williams skrev: >> IHAC that is having to answer to their computer security group >> regarding the use of "suid" files in Solaris 10. >> Seems they are asking if "suid" can be removed from the various >> Solaris files systems to remove what they think may be a potential >> security risk. They also noticed that the use of the Veritas File >> System (VxFS) does the same (output below) >> >> Can these files systems be mounted without the use of "suid" and >> still have a viable fully functional Solaris and VxFS file system? >> It is noted that the suid option is not specifically listed in the >> vfstab, yet these file systems report as being mounted with "suid". >> >> Anyone have any experience dealing with this or have a reasonable >> explanation why it behaves this way? > > As Mike indicated, the 'suid' option for mounting a filesystem (ANY filesystem which supports POSIX-style permissions) merely enables the ability of certain binaries to be run suid. Realistically, what the flag does is enable that functionality in the kernel for the given filesystem.
I'm not 100% sure, but I _think_ the RBAC stuff requires suid for /. (that is, RBAC depends on certain binaries normally housed in several of the / directories to be suid). And, I'm _sure_ that many other system admin-related utils are suid, which means that turning them off would, at the least, cripple the ability of anyone other than root to do sysadmin, and probably would have other consequences that I'm not immediately aware of. Remember, suid is not just for 'pretending' you are root. It's for changing your identity to another one. Cron(1m) does this. suid is a default option for mount(1m). Have them check out the man page for more information as to what the defaults are now. Removing suid on pure data partitions (as ITOps does here for home directories) is probably a good idea. For the system partitions, I can't see it as a good thing - if they are worried about security, a selective removal of the suid bit from certain individual binaries is likely a better option. But wholesale removal is unlikely to work (that is, likely to leave the system crippled in weird ways). -- Erik Trimble Java System Support Mailstop: usca22-123 Phone: x17195 Santa Clara, CA Timezone: US/Pacific (GMT-0800)
