search for: nosgid

...ere's /tmp, /var/tmp, and other directories (depending on > software installed) that are writable by users, so unless you mount > something noexec on all of them, you haven't gained much. And yes, ALL user writable places (including often overlooked /dev/shm) are mounted with nosuid, nosgid, nodev, noexec options on servers where users are allowed to have shell. Or you should be able to do something like jail on FreeBSD which you dedicate to user shell login, and restrict it the way you need - don't know off hand how you do it on Linux box, experts will definitely name several way...

...=x -o password=y It works and from the Linux side files appear to be owned by user root and group root. Directories appear from Linux to have permissions drwxrwxrwx+, which is okay for this setup, but plain files have -rwxrwSrwx+ with an unwanted sgid bit. I have tried mounting with -o nosuid -o nosgid, but that does not make a difference. What should I do to stop the suid or sgid bits appearing to be set on plain files? I would prefer to keep the Windows side unchanged and alter some configuration on the client. Thanks, -- Ed Avis <eda@waniasset.com>

Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: > Hello, > > ----- Mail original ----- >> De: "John Cenile" <jcenile1983 at gmail.com> >> ?: "centos" <centos at centos.org> >> Envoy?: Mercredi 24 F?vrier 2016 15:42:36 >> Objet: [CentOS] IPtables block user from outbound ICMP > >> Is it possible at all to block all users

On 02/15/2017 08:47 AM, Valeri Galtsev wrote: > And yes, ALL user writable places (including often overlooked /dev/shm) > are mounted with nosuid, nosgid, nodev, noexec options on servers where > users are allowed to have shell. How sure are you? On the system I'm looking at right now, any user can write to: /dev/mqueue /dev/shm /run/user/<uid> /run/screen/S-<user> /var/spool/samba /home/<user> /tmp /var/tmp Notably, t...

...to at least sniff packets to get a password equivalent. > Give a user root on their own box with NFS mounts, and they can do what > they like ... without having to sniff passwords. No, the exporting system decides, who is allowed root access. A good admin exports nfs with 'noroot,nosuid,nosgid,nodev'. So the importing system does not have root access to the imported nfs mount ... > > | > | P.P.S. With that said, Kerberos+OpenAFS is always a nice "universal" > network > | filesystem as well. > | > > With how much cost in setup? > > I think...

...o have some boxes like that, and on these boxes I indeed have rather restricted set of tools/commands accessible for users. In addition, users though can build or download stuff, they can not execute anything of their own. In other words, all places users can write to are mounted with "nosuid, nosgid, noexec" options, the last one is the one I mean here (do your own thinking why other two are also there). Once that is done, you can remove "others" read and execute bits from ping command (and other commands you don't want the to be able to use). Sending ping in particular requ...

On Wed, February 15, 2017 12:23 pm, Gordon Messmer wrote: > On 02/15/2017 08:47 AM, Valeri Galtsev wrote: >> And yes, ALL user writable places (including often overlooked /dev/shm) >> are mounted with nosuid, nosgid, nodev, noexec options on servers where >> users are allowed to have shell. > > > How sure are you? I just run a bunch of find commands before rolling out system to find what I might not like, e.g. finding all world writable files...: find / -perm -2 ! -type l -ls ... > On the...

...ke that, and on these boxes > I indeed have rather restricted set of tools/commands accessible for > users. In addition, users though can build or download stuff, they can not > execute anything of their own. In other words, all places users can write > to are mounted with "nosuid, nosgid, noexec" options, the last one is the > one I mean here (do your own thinking why other two are also there). Once > that is done, you can remove "others" read and execute bits from ping > command (and other commands you don't want the to be able to use). Sending > pin...

Hello Johnny, On Wed, 2017-02-15 at 09:47 -0600, Johnny Hughes wrote: > 2. They already have shell access on the machine in question and they > can already run anything in that shell that they can run via what you > are pointing out. No, assuming noexec /home mounts all they can run is system binaries. > 3. If they have access to a zeroday issue that give them root .. they >