Monday, September 14, 2020

Re: Must disable /usr/libexec/security on backup disks

Ingo Schwarze <schwarze@usta.de> wrote:

> Hi Brian,
>
> Brian Brombacher wrote on Mon, Sep 14, 2020 at 07:55:11AM -0400:
>
> > Love the idea; however, the only drawback is if some Bad Person
> > is twiddling around and leaves a suid or dev around on a file system
> > that is nosuid or nodev, you lose visibility.
>
> Doesn't look like a problem to me; that such bits and files are
> ignored on file systems with these mount options is the whole point
> of these options. So AFAICT, such files are not special in such
> places and hence visibility is not really useful.
>
> > Maybe an option to always scan regardless of fs options?
>
> I dislike options unless there is a really strong need for them.
> Why would you want to be notified about SUID files on a nosuid
> file system? What would you want to do about them, and why?

I am happy enough with the diff, and also dislike having a flag.

Can we get it commited and revisit the situation in 10 years?

No comments:

Post a Comment