"In the previous message, Evil Pete said..." > > "Pat Myrto" has been known to say: > > > >There is a patch, that is nothing more than a script that improves > >the perms that is available, at least for SunOS 4.1.x. As you point out > >it changes /etc/ from bin to root, and the same with a lot of other > >subdirs. How complete it is, I don't know but it is far better than > >the original. > > > > To get the permissions right under SunOS you have to do it yourself > > mount: > > / rw,nosuid > /usr ro > /var rw,nosuid > /home rw,nosuid > /tmp rw,nosuid > /usr/local ro That is something I must try - I was lead to believe the nosuid option applied only to NFS mounts. The script I mentioned is far better than nothing, its main impact is the ownership of the subdirs. Stuff like /etc, and so on ship owned by bin, which is no good at all, especially on diskless stations, and/or stations on the local network where the user has root privs on his workstation. While root is supposed to map to nobody on an nfs mount (unless the root option is specified), bin maps to bin, making it irrelevant who owns /etc/passwd, and so on if one has access to bin on the client machine... I will most definitely try that nosuid and ro combo on regular mounts, especially for subdirs writeable by users, as there is no earthly reason most users need to run any SUID anything programs in their home subdir area - even suid to themselves. Thanks for pointing that out! > and for automount/afs users: > /net rw,nosuid,nodev Automount is a feature I have not tried - from all accounts one gets the feeling it is more headache than its worth. What is the gain that warrants all the hassles? I recall that is less than robust. > this way there is not place to install a setuid program/backdoor > and most of the system binaries are on a readonly partition. That is a good point. The only problem with making /usr/local readonly is that one must bring the system down to single user to install or update anything, so there would be a tradeoff. Still, being aware of that option, one can make an informed decision whether making local ro is desired. Your partition arrangement above is EXACTLY like mine other than the ro and nosuid options, and order of mounting: /, /usr, /tmp, /usr/local, /var, home. I will be adding other stuff on top, mostly under /var or /var/spool when I add more drives (like /var/spool/news, etc). > as for sun automount (afs is better :-) I find most sites that > setup /net forget to disable setuid, thus anyone can get root my typing > the command: > > /net/unsecure.host.another.dom/tmp/make_be_root I am not sure what you are talking about here 'make_be_root'. Isn't the suid problem something that exists on all the nfs mounts, other than the user effectively does a mount himself by virtue of accessing the subdir in question? Is this a problem inherent in automount? -- pat@rwing [If all fails, try: rwing!pat@ole.cdac.com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.