nosuid on mounts
Bill Tangren
bjt at aa.usno.navy.mil
Wed Sep 20 14:35:25 UTC 2006
Cameron Simpson wrote:
> On 19Sep2006 16:53, Bill Tangren <bjt at aa.usno.navy.mil> wrote:
> | I am required to remove the suid bit on several mounted filesystems. I'd
> | like to know what y'all think will happen if I do that.
> |
> | The file systems are:
> |
> | none on /sys type sysfs (rw)
> | usbfs on /proc/bus/usb type usbfs (rw)
> | /dev/sda1 on /boot type ext3 (rw)
> | none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
> | sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
>
> None of these would normally have setuid content, so this is fine.
> |
> | /sys and /dev/sda1 are found in /etc/fstab. I need to change
> |
> | LABEL=/boot /boot ext3 defaults 1 2
> | none /sys sysfs defaults 0 0
> |
> | to
> |
> | LABEL=/boot /boot ext3 rw,nosuid,dev,exec,auto,nouser,async 1 2
> | none /sys sysfs rw,nosuid,dev,exec,auto,nouser,async 0 0
>
> You should just be able to say "nosuid". You don't need to list everything
> else - they will have the default values. The word "defaults" only exists
> to occupy the column when _everything_ is default.
>
> This will also protect you from using options on some of these "special"
> filesystems which don't apply.
>
> | I haven't a clue as to how to modify these without breaking something.
>
> You should only need to change /boot. I do not expect it is even
> possible to try to create a setuid file on these other filesystems; they
> are kernel generated views of stuff and as far as I know do not contain
> "setuid" things.
>
> Cheers,
Thanks!
More information about the redhat-list
mailing list