teaching /etc/security to not run find in afs...

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

teaching /etc/security to not run find in afs...

Chris Kuethe
People running afs may find this useful, especially if they have many
users. AFS doesn't generally honour s[ug]id bits in afs (unless you
specifically configure otherwise) and devices in afs seem to be
entirely unsupported/disallowed.

In my case, this keeps security from taking more than 12 hours to run...

Comments?

Index: security
===================================================================
RCS file: /cvs/src/etc/security,v
retrieving revision 1.71
diff -u -r1.71 security
--- security    2005/02/22 10:50:55     1.71
+++ security    2005/11/11 17:57:57
@@ -458,7 +458,7 @@
 # Display any changes in setuid/setgid files and devices.
 pending="\nChecking setuid/setgid files and devices:\n"
 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
-       -o -fstype procfs \) -a -prune -o \
+       -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \
        -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
        ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \
        -print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Reply | Threaded
Open this post in threaded view
|

Re: teaching /etc/security to not run find in afs...

Chris Kuethe
On 11/11/05, Chris Kuethe <[hidden email]> wrote:
> People running afs may find this useful, especially if they have many
> users. AFS doesn't generally honour s[ug]id bits in afs (unless you
> specifically configure otherwise) and devices in afs seem to be
> entirely unsupported/disallowed.
>
> In my case, this keeps security from taking more than 12 hours to run...
>
> Comments?

Ack. Forgot that cut-n-paste doesn't preserve tabs. My apologies.
Thanks to Theo for pointing this out.

Index: security
===================================================================
RCS file: /cvs/src/etc/security,v
retrieving revision 1.71
diff -u -r1.71 security
--- security 2005/02/22 10:50:55 1.71
+++ security 2005/11/11 18:11:28
@@ -458,7 +458,7 @@
 # Display any changes in setuid/setgid files and devices.
 pending="\nChecking setuid/setgid files and devices:\n"
 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
- -o -fstype procfs \) -a -prune -o \
+ -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \
  -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
  ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \
  -print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT

--
GDB has a 'break' feature; why doesn't it have 'fix' too?