nosuid on mounts
Cameron Simpson
cs at zip.com.au
Tue Sep 19 23:42:18 UTC 2006
On 19Sep2006 16:53, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
| I am required to remove the suid bit on several mounted filesystems. I'd
| like to know what y'all think will happen if I do that.
|
| The file systems are:
|
| none on /sys type sysfs (rw)
| usbfs on /proc/bus/usb type usbfs (rw)
| /dev/sda1 on /boot type ext3 (rw)
| none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
| sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
None of these would normally have setuid content, so this is fine.
|
| /sys and /dev/sda1 are found in /etc/fstab. I need to change
|
| LABEL=/boot /boot ext3 defaults 1 2
| none /sys sysfs defaults 0 0
|
| to
|
| LABEL=/boot /boot ext3 rw,nosuid,dev,exec,auto,nouser,async 1 2
| none /sys sysfs rw,nosuid,dev,exec,auto,nouser,async 0 0
You should just be able to say "nosuid". You don't need to list everything
else - they will have the default values. The word "defaults" only exists
to occupy the column when _everything_ is default.
This will also protect you from using options on some of these "special"
filesystems which don't apply.
| I haven't a clue as to how to modify these without breaking something.
You should only need to change /boot. I do not expect it is even
possible to try to create a setuid file on these other filesystems; they
are kernel generated views of stuff and as far as I know do not contain
"setuid" things.
Cheers,
--
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/
Sam Jones <samjones at leo.unm.edu> on the Nine Types of User:
Taskmaster - "Well, this is a file in MacWrite. Do you know how I can upload
it to MUSIC, transfer it over to UNIX from there, download it
onto an IBM, convert it to WordPerfect, and put it in
three-column format?"
Advantages: Bold new challanges.
Disadvantages: Makes one wish to be a garbage collector.
Symptoms: An inability to keep quiet. Strong tendancies to make
machines do things they don't want to do.
Real Case: One user tried to get a scon to find out what another
person's E-mail address was even though the user didn't know
his target's home system, account name, or real name.
More information about the redhat-list
mailing list