[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: handling group membership in and outside d-i

On Wed, Mar 04, 2009 at 06:12:54PM +0100, Josselin Mouette wrote:
Using things like pam_console or pam_group should not become our default
policy, unless we at least ensure /home, /var and /tmp are mounted
nosuid – and it would be better with the ability to revoke the
permissions on the open devices as well.

Mounting /var nosuid would break things:

  lakeview ok % ls -ld /var/mail
  drwxrwsr-x 2 root mail 4096 2007-05-02 00:22 /var/mail

nosuid prohibits not only suid bits, but sgid bits as well.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: