On Mon, May 27, 2002 at 03:58:04PM -0600, Kurt Seifried wrote: > > You can remove pretty much all root setuid/setgid bits with the exception of > sudo, password utilities (passwd, chsh, chfn), newgrp, at, crontab, and a > handful of others without significantly removing functionality.
All my firewall and loghost builds mount *every* filesystem nosuid. This doesn't work well on multiuser boxes, you end up needing the suid bit set on binaries like the ones Mr Seifried listed above. It works great on boxes where security is critical, and you don't even have to worry about patches/updates resetting the suid bit on programs ;) Your mileage may vary. -- "Old programmers never die. They just can't C as well." -Anon.
