make world and setuid bits

From: Jason Stone (jason-fbsd-security@shalott.net)
Date: 03/28/02


Date: Thu, 28 Mar 2002 04:40:31 -0800 (PST)
From: Jason Stone <jason-fbsd-security@shalott.net>
To: <security@FreeBSD.ORG>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are there make variables that can be set to prevent "make world" from
installing binaries as setuid? Currently, I always run something like
"find -perms -4000 | xargs chmod u-s" after doing a make world, but this
seems inelegant, prone to human error, and dangerous as there's a
(potentially quite long) period in which there are still many setuid
binaries....

make options to allow the prevention of "setuid root", "all setuid",
or "all setuid and all setgid" would be nice.

 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet. Here's what I worry about. I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
        -- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8ow9IswXMWWtptckRAkZYAJ9S6Cchf5Cz8rtqAkjjYTp/GBCvdQCfbYx6
L1AGZQV/R96Shfpl9C383Fc=
=NwdP
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Is screen really secure?
    ... > "do not run a daemon as root as long isn't really require it".. ... Screen is setuid root by default. ... or you can make utmp/wtmp/lastlog group "utmp" ... Here's what I worry about. ...
    (FreeBSD-Security)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
    ... particular setuid binary, you should remove the setuid bit. ... chflags noschg `cat $.schg` ... Here's what I worry about. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: make world and setuid bits
    ... >> installing binaries as setuid? ... >> period in which there are still many setuid ... For server machines that have no non-root interactive users, ... Here's what I worry about. ...
    (FreeBSD-Security)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
    ... > I can't believe that FreeBSD would allow their system to have these ... for either all or part of their functionality and are therefore setuid. ... lpr is setuid root so that it can write your print job into ... Here's what I worry about. ...
    (FreeBSD-Security)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
    ... You want a snapshot kernel supporting all that, ... I worry about my child and the Internet all the time, ... Here's what I worry about. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)