Hello All,
Sorry if it has been asked in the past, but is it ok to mount the /usr
partition as nosuid?
What if any default programs will that break?  And also does that give me
any added security benefits?
Running 4.6 release generic i386
thanks, Mark

[ message continues ]

why do you want to do this?  (what problem are you trying to solve?)

cel

-- 
Christopher Linn <celinn at mtu.edu>  | By no means shall either the CEC
System Administrator II               | or MTU be held in any way liable
  Center for Experimental Computation | for any opinions or conjecture I
    Michigan Technological University | hold to or imply to hold herein.

[ message continues ]

All, thanks for the responses so far.

I work for the Fed and we have to setup a dns sec bind server on our end.  I
was just reading some of their "advice" on setting up the server...

 2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options.

Of course all their instructions are for redhat and debian, but I want to do
this on openbsd......

thanks, Mark


[ message continues ]

On OpenBSD, the bind chroot is in /var, which is by default
nosuid,nodev (if it is a seperate partition). 


[ message continues ]

Errrr, BIND is chrooted to /var/named.  Which is to say, on a standard
OpenBSD install with 'reasonable' partitions, you would mount /var
noexec,nosuid,nodev - but it defaults to nosuid,nodev, and you'd have to
make your own determination as to whether binaries in /var are okay or not
(I *think* /var/www/bin is the only thing you'd have to look at, but you
can do the digging on that).
-- 
 Matthew Weigel
 hacker
 unique & idempot . ent

[ message continues ]

This is a very bad idea. How do you think sudo does its job? su? Any
number of other programs including /usr/libexec/auth/*?

		Joachim

[ message continues ]

Find out for yourself.  See how Set-User-ID mode and Set-Group-ID mode are
reported from the ls(1) man page.  Then, look at your $PATH, and see how many
directories in the /usr hierarchy contain executables.  Run ls(1) with long
mode output, and see for yourself what programs you would break when you
create your Frankensystem.  

[ message continues ]

"find /usr -perm 4555 -ls" will solve the question re wether it will
break something.

--
The best the little guy can do is what
the little guy does right

[ message continues ]

to the OP: perhaps what you are thining of is thrid party apps 
(packages) in /usr/local.  in the new install script the disk 
auto-layout feature creates a separate /usr/local partition; 
do this and mount it nosuid... THEN run 
"find /usr/local -perm 4555 -ls" to see what apps you are 
breaking  8*)

cel

-- 
Christopher Linn <celinn at mtu.edu>  | By no means shall either the CEC
System Administrator II               | or MTU be held in any way liable
  Center for Experimental Computation | for any opinions or conjecture I
    Michigan Technological University | hold to or imply to hold herein.

[ message continues ]

Ok, I am not sure if I am replying to just that user or the whole group,
when using the gmail client... anyway....

All, thanks for the responses so far.

I work for the Fed and we have to setup a dns sec bind server on our end.  I
was just reading some of their "advice" on setting up the server...

 2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options.

Of course all their instructions are for redhat and debian, but I want to do
this on openbsd......

I understand not being able to use the noexec option but I was not sure
about the nosuid..

thanks very much....


[ message continues ]

Ah yes, thanks Otto !

I think I was getting confused between the named binary in /usr/sbin/  and
where the bind files are chrooted under /var/named
Yes, so this would already be done in openbsd.....

thanks, Mark


[ message continues ]

You will soon discover that in OpenBSD, you don't have to go around the 
system hardening it...

-- 
Mauro Rezzonico <mauro@ch23.org>, Como, Italia
"Maybe this world is another planet's hell" - H.Huxley

[ message continues ]