Re: nosuid on mounts

On 19Sep2006 16:53, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:
| I am required to remove the suid bit on several mounted filesystems. I'd
| like to know what y'all think will happen if I do that.
|
| The file systems are:
|
| none on /sys type sysfs (rw)
| usbfs on /proc/bus/usb type usbfs (rw)
| /dev/sda1 on /boot type ext3 (rw)
| none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
| sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

None of these would normally have setuid content, so this is fine.
|
| /sys and /dev/sda1 are found in /etc/fstab. I need to change
|
| LABEL=/boot /boot ext3 defaults 1 2
| none /sys sysfs defaults 0 0
|
| to
|
| LABEL=/boot /boot ext3 rw,nosuid,dev,exec,auto,nouser,async 1 2
| none /sys sysfs rw,nosuid,dev,exec,auto,nouser,async 0 0

You should just be able to say "nosuid". You don't need to list everything
else - they will have the default values. The word "defaults" only exists
to occupy the column when _everything_ is default.

This will also protect you from using options on some of these "special"
filesystems which don't apply.

| I haven't a clue as to how to modify these without breaking something.

You should only need to change /boot. I do not expect it is even
possible to try to create a setuid file on these other filesystems; they
are kernel generated views of stuff and as far as I know do not contain
"setuid" things.

Cheers,
--
Cameron Simpson <cs@xxxxxxxxxx> DoD#743
http://www.cskk.ezoshosting.com/cs/

Sam Jones <samjones@xxxxxxxxxxx> on the Nine Types of User:

Taskmaster - "Well, this is a file in MacWrite. Do you know how I can upload
it to MUSIC, transfer it over to UNIX from there, download it
onto an IBM, convert it to WordPerfect, and put it in
three-column format?"
Advantages: Bold new challanges.
Disadvantages: Makes one wish to be a garbage collector.
Symptoms: An inability to keep quiet. Strong tendancies to make
machines do things they don't want to do.
Real Case: One user tried to get a scon to find out what another
person's E-mail address was even though the user didn't know
his target's home system, account name, or real name.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • Re: nosuid on mounts
    ... | I am required to remove the suid bit on several mounted filesystems. ... | none on /sys type sysfs ... | usbfs on /proc/bus/usb type usbfs ... None of these would normally have setuid content, ...
    (RedHat)
  • Re: Have ext3 on SanDisk CF but cant disable write-back caching as kernel instructs
    ... > don't corrupt our data or our filesystem metadata, so our filesystems ... disable write back cacheing for journa ... > lled file systems ... periods suspend data collection, mount one of the partitions, copy the ...
    (alt.os.linux.suse)
  • Major filesystem problems after crash on 7.0-BETA3
    ... of coffee while the background fsck took care of the file systems. ... access the /var or /tmp filesystems, I received panics similar to: ... it looked like my filesystems weren't ... softupdates on /var and /tmp and ran fsck on those file systems again. ...
    (freebsd-questions)
  • Re: A Newbie Question On Filesystems
    ... > I'm a UNIX newbie and have a simple question on ... > lots of filesystems. ... Many UNIXen can easily be installed on 3 or less file systems, ... Windows with its partition troubles, so it is painless to take advantage ...
    (comp.unix.aix)
  • Re: And one file system to be read by them (OSs) all?
    ... Some file systems simply can't do it. ... Microsoft filesystems can't, because the FAT has only so much ... If, for example, it were divided into 10 each 40Gb partitions, ...
    (rec.photo.digital)