suid bit files + securing FreeBSD (new program: LockDown)

[db at traceroute.dk (Socketd)]

On Sun, 27 Jul 2003 09:57:10 +1000
Peter Jeremy <PeterJeremy_(_at_)_optushome_(_dot_)_com_(_dot_)_au> wrote:

> > But what files REALLY MUST have it ?
> 
> There's no simple answer to this.  It's a matter of going through each
> file with setuid (or setgid) set, understanding why that file has the
> set[gu]id bit and whether you need that functionality.

Robert Watson is going through all the setuid files, to see which really
need to be setuid. In -CURRENT he has removed the setuid bit from quota.

Anyway I have been thinking about writing a program to make the default
installation (with "extreme" security) even more secure. I have attached
the configuration file, it should explain what the program can do. (not
one line of code have been written yet).

Btw setting noexec and nosuid on a mount point is a little redundante
right? I mean since the user can't execute files, there is no point in
also setting nosuid?

Best regards
Socketd

ps: Please remember that the LockDown configuration file is only version
0.1, so nothing is final.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lockdown.conf
Type: application/octet-stream
Size: 7201 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030727/611bc2c6/lockdown.obj