Re: suid bit files + securing FreeBSD (new program: LockDown)

• Previous message: twig les: "Re: suid bit files + securing FreeBSD"
• In reply to: Peter Jeremy: "Re: suid bit files + securing FreeBSD"
• Next in thread: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Maybe reply: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Reply: Peter Rosa: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Maybe reply: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Maybe reply: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 27 Jul 2003 13:28:47 +0200
To: freebsd-security@freebsd.org

On Sun, 27 Jul 2003 09:57:10 +1000
Peter Jeremy <PeterJeremy@optushome.com.au> wrote:

> > But what files REALLY MUST have it ?
>
> There's no simple answer to this. It's a matter of going through each
> file with setuid (or setgid) set, understanding why that file has the
> set[gu]id bit and whether you need that functionality.

Robert Watson is going through all the setuid files, to see which really
need to be setuid. In -CURRENT he has removed the setuid bit from quota.

Anyway I have been thinking about writing a program to make the default
installation (with "extreme" security) even more secure. I have attached
the configuration file, it should explain what the program can do. (not
one line of code have been written yet).

Btw setting noexec and nosuid on a mount point is a little redundante
right? I mean since the user can't execute files, there is no point in
also setting nosuid?

Best regards
Socketd

ps: Please remember that the LockDown configuration file is only version
0.1, so nothing is final.

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• application/octet-stream attachment: lockdown.conf

• Previous message: twig les: "Re: suid bit files + securing FreeBSD"
• In reply to: Peter Jeremy: "Re: suid bit files + securing FreeBSD"
• Next in thread: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Maybe reply: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Reply: Peter Rosa: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Maybe reply: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Maybe reply: Socketd: "Re: suid bit files + securing FreeBSD (new program: LockDown)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]