Re: Linux HardeningFrom: Nate Campi (firstname.lastname@example.org)
- Previous message: David Chin: "Re: irssi backdoor question"
- In reply to: Kurt Seifried: "Re: Linux Hardening"
- Next in thread: Tommaso Di Donato: "Re: Linux Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 May 2002 20:29:38 -0700 From: Nate Campi <email@example.com> To: firstname.lastname@example.org
On Mon, May 27, 2002 at 03:58:04PM -0600, Kurt Seifried wrote:
> You can remove pretty much all root setuid/setgid bits with the exception of
> sudo, password utilities (passwd, chsh, chfn), newgrp, at, crontab, and a
> handful of others without significantly removing functionality.
All my firewall and loghost builds mount *every* filesystem nosuid. This
doesn't work well on multiuser boxes, you end up needing the suid bit
set on binaries like the ones Mr Seifried listed above. It works great
on boxes where security is critical, and you don't even have to worry
about patches/updates resetting the suid bit on programs ;)
Your mileage may vary.
-- "Old programmers never die. They just can't C as well." -Anon.