nosuid on mounts

Cameron Simpson cs at zip.com.au
Tue Sep 19 23:42:18 UTC 2006 

On 19Sep2006 16:53, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
| I am required to remove the suid bit on several mounted filesystems. I'd 
| like to know what y'all think will happen if I do that.
| 
| The file systems are:
| 
| none on /sys type sysfs (rw)
| usbfs on /proc/bus/usb type usbfs (rw)
| /dev/sda1 on /boot type ext3 (rw)
| none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
| sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

None of these would normally have setuid content, so this is fine.
| 
| /sys and /dev/sda1 are found in /etc/fstab. I need to change
| 
| LABEL=/boot /boot ext3    defaults        1 2
| none        /sys  sysfs   defaults        0 0
| 
| to
| 
| LABEL=/boot /boot ext3    rw,nosuid,dev,exec,auto,nouser,async        1 2
| none        /sys  sysfs   rw,nosuid,dev,exec,auto,nouser,async        0 0

You should just be able to say "nosuid". You don't need to list everything
else - they will have the default values. The word "defaults" only exists
to occupy the column when _everything_ is default.

This will also protect you from using options on some of these "special"
filesystems which don't apply.

| I haven't a clue as to how to modify these without breaking something.

You should only need to change /boot. I do not expect it is even
possible to try to create a setuid file on these other filesystems; they
are kernel generated views of stuff and as far as I know do not contain
"setuid" things.

Cheers,
-- 
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

Sam Jones <samjones at leo.unm.edu> on the Nine Types of User:

Taskmaster -    "Well, this is a file in MacWrite.  Do you know how I can upload
                it to MUSIC, transfer it over to UNIX from there, download it
                onto an IBM, convert it to WordPerfect, and put it in
                three-column format?"
Advantages:     Bold new challanges.
Disadvantages:  Makes one wish to be a garbage collector.
Symptoms:       An inability to keep quiet.  Strong tendancies to make
                machines do things they don't want to do.
Real Case:      One user tried to get a scon to find out what another
                person's E-mail address was even though the user didn't know
                his target's home system, account name, or real name.

More information about the redhat-list mailing list