Re: Linux Hardening

From: Nate Campi (nate@campin.net)
Date: 05/29/02


Date: Tue, 28 May 2002 20:29:38 -0700
From: Nate Campi <nate@campin.net>
To: focus-linux@securityfocus.com

On Mon, May 27, 2002 at 03:58:04PM -0600, Kurt Seifried wrote:
>
> You can remove pretty much all root setuid/setgid bits with the exception of
> sudo, password utilities (passwd, chsh, chfn), newgrp, at, crontab, and a
> handful of others without significantly removing functionality.

All my firewall and loghost builds mount *every* filesystem nosuid. This
doesn't work well on multiuser boxes, you end up needing the suid bit
set on binaries like the ones Mr Seifried listed above. It works great
on boxes where security is critical, and you don't even have to worry
about patches/updates resetting the suid bit on programs ;)

Your mileage may vary.

-- 
"Old programmers never die. They just can't C as well."  -Anon.