nosuid on mounts

I am required to remove the suid bit on several mounted
filesystems. I'd like to 
know what y'all think will happen if I do that.

The file systems are:

none on /sys type sysfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /boot type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)


/sys and /dev/sda1 are found in /etc/fstab. I need to change

LABEL=/boot /boot ext3    defaults        1 2
none        /sys  sysfs   defaults        0 0

to

LABEL=/boot /boot ext3   
rw,nosuid,dev,exec,auto,nouser,async        1 2
none        /sys  sysfs  
rw,nosuid,dev,exec,auto,nouser,async        0 0

I think binfmt_misc is mounted from /etc/rc.sysinit. I
*think* I'd need to change

/bin/mount -t binfmt_misc none /proc/sys/fs/binfmt_misc >
/dev/null 2>&1

to

/bin/mount -t binfmt_misc -o noexec none
/proc/sys/fs/binfmt_misc > /dev/null 2>&1

The rpc_pipefs is in /etc/modprobe.conf.dist and the mount
line is:

install sunrpc /sbin/modprobe --first-time --ignore-install
sunrpc && { 
/bin/mount -t rpc_pipefs sunrpc /var/lib/nfs/rpc_pipefs >
/dev/null 2>&1 || :; }

which I assume I'd have to change as for binfmt_misc above.

The usb mount is in /etc/rc.sysinit. There are two lines:

mount -n -t proc /proc /proc
[ -d /proc/bus/usb ] && mount -n -t usbfs
/proc/bus/usb /proc/bus/usb

mount -f /dev/pts
[ -f /proc/bus/usb/devices ] && mount -f -t usbfs
usbfs /proc/bus/usb

I haven't a clue as to how to modify these without breaking
something.

Any comments?

Bill Tangren

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list

On 19Sep2006 16:53, Bill Tangren <bjtaa.usno.navy.mil> wrote:
| I am required to remove the suid bit on several mounted
filesystems. I'd 
| like to know what y'all think will happen if I do that.
| 
| The file systems are:
| 
| none on /sys type sysfs (rw)
| usbfs on /proc/bus/usb type usbfs (rw)
| /dev/sda1 on /boot type ext3 (rw)
| none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
| sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

None of these would normally have setuid content, so this is
fine.
| 
| /sys and /dev/sda1 are found in /etc/fstab. I need to
change
| 
| LABEL=/boot /boot ext3    defaults        1 2
| none        /sys  sysfs   defaults        0 0
| 
| to
| 
| LABEL=/boot /boot ext3   
rw,nosuid,dev,exec,auto,nouser,async        1 2
| none        /sys  sysfs  
rw,nosuid,dev,exec,auto,nouser,async        0 0

You should just be able to say "nosuid". You
don't need to list everything
else - they will have the default values. The word
"defaults" only exists
to occupy the column when _everything_ is default.

This will also protect you from using options on some of
these "special"
filesystems which don't apply.

| I haven't a clue as to how to modify these without
breaking something.

You should only need to change /boot. I do not expect it is
even
possible to try to create a setuid file on these other
filesystems; they
are kernel generated views of stuff and as far as I know do
not contain
"setuid" things.

Cheers,
-- 
Cameron Simpson <cszip.com.au> DoD#743
http://www.cskk.e
zoshosting.com/cs/

Sam Jones <samjonesleo.unm.edu> on the Nine Types of User:

Taskmaster -    "Well, this is a file in MacWrite.  Do
you know how I can upload
                it to MUSIC, transfer it over to UNIX from
there, download it
                onto an IBM, convert it to WordPerfect, and
put it in
                three-column format?"
Advantages:     Bold new challanges.
Disadvantages:  Makes one wish to be a garbage collector.
Symptoms:       An inability to keep quiet.  Strong
tendancies to make
                machines do things they don't want to do.
Real Case:      One user tried to get a scon to find out
what another
                person's E-mail address was even though the
user didn't know
                his target's home system, account name, or
real name.

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list

Cameron Simpson wrote:
> On 19Sep2006 16:53, Bill Tangren <bjtaa.usno.navy.mil> wrote:
> | I am required to remove the suid bit on several
mounted filesystems. I'd 
> | like to know what y'all think will happen if I do
that.
> | 
> | The file systems are:
> | 
> | none on /sys type sysfs (rw)
> | usbfs on /proc/bus/usb type usbfs (rw)
> | /dev/sda1 on /boot type ext3 (rw)
> | none on /proc/sys/fs/binfmt_misc type binfmt_misc
(rw)
> | sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs
(rw)
> 
> None of these would normally have setuid content, so
this is fine.
> | 
> | /sys and /dev/sda1 are found in /etc/fstab. I need to
change
> | 
> | LABEL=/boot /boot ext3    defaults        1 2
> | none        /sys  sysfs   defaults        0 0
> | 
> | to
> | 
> | LABEL=/boot /boot ext3   
rw,nosuid,dev,exec,auto,nouser,async        1 2
> | none        /sys  sysfs  
rw,nosuid,dev,exec,auto,nouser,async        0 0
> 
> You should just be able to say "nosuid".
You don't need to list everything
> else - they will have the default values. The word
"defaults" only exists
> to occupy the column when _everything_ is default.
> 
> This will also protect you from using options on some
of these "special"
> filesystems which don't apply.
> 
> | I haven't a clue as to how to modify these without
breaking something.
> 
> You should only need to change /boot. I do not expect
it is even
> possible to try to create a setuid file on these other
filesystems; they
> are kernel generated views of stuff and as far as I
know do not contain
> "setuid" things.
> 
> Cheers,

Thanks!


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-requestredhat.com?subject=unsubscribe
h
ttps://www.redhat.com/mailman/listinfo/redhat-list