Re: What to do about checksecurity
Jim Mintha wrote:
>
>> At present, the checksecurity script doesn't check nfs/afs/whatever
>> disks only if they are mounted (nosuid or noexec) and nodev. About
>> once a month I get an e-mail or bug report from someone who doesn't
>> like this, because of the extensive network access involved. I write
>> back a letter saying that if they don't want this to happen they
>> can either do their nfs/afs/whatever mounts nosuid,nodev, or modify
>> /etc/checksecurity.conf to skip all n/a/w type mounts and abandon all
>> pretense of checksecurity usefulness.
>>
>> However, I'm getting tired of responding to these letters. I'm becoming
>> less and less convinced of checksecurity's usefulness, mostly because I
>> suspect most people choose to skip n/a/w mounted disks, even if those
>> mounts might have suid programs on them. I guess my questions are:
>>
>> 1. Does anybody actually care about the checksecurity script?
>>
>> 2. If you do, have you modified checksecurity.conf? How so?
>>
>> I'm strongly considering removing the checksecurity functionality from
>> the cron package, if I can figure out a safe way to move the conf file.
>
>I modify the checksecurity.conf to not search any nfs mounted disks.
>It adds way to much network traffic when every client does this, not
>to mention error messages from the cron job when it can't access
>certain directories.
Do they need to be mounted setuid?
>
>I do find the script useful though. And it would be one useful check
>if we had a comprimise or suspected one.
I agree. I was one of those people writing Steve Greenland about the
traffic checksecurity was causing, in my case with the statting of /afs.
I think I came up with something that will work for other AFS
users. Within checksecurity.conf, under the section
<><><>
#
# Use temp variables to build up CHECKSECURITY_FILTER, to make it
# a little more readable.
#
CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)'
CS_TYPES=' type (auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
#
CS_DEVS='^/dev/fd'
#
CS_DIRS='on /mnt'
#
CHECKSECURITY_FILTER="$CS_TYPES|$CS_DEVS|$CS_DIRS"
<><><>
I added
<><><>
#Exclude AFS partition even if it allows setuid, if our environment is secure.
if [ -x /afs ]
then
SUIDCELLS=`cat /usr/vice/etc/SuidCells`
THISCELL=`cat /usr/vice/etc/ThisCell | awk '{print $1}'`
if [ $SUIDCELLS == $THISCELL ]
then
# AFS is mounted securely, include in the filter even if
# mounted setuid
CHECKSECURITY_FILTER="$CHECKSECURITY_FILTER|afs"
fi
fi
<><><>
I don't know how elegant this is considered to be (a lot of shell
commands in a conf file), but I believe the conf files it is checking
are conventional for Linux AFS clients. Do other AFS users on
this list see any problems with it?
--
Kane Spinato, Band Member | SneezyMUD sneezy.stanford.edu 7900
kriebly@sneezy.stanford.edu
I have opinions; my employer doesn't.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: