HPE Community
Operating System - HP-UX
1833625 Members
3507 Online
110062 Solutions
New Discussion

mount option suid

 
Network Servers
Advisor

‎12-06-2002 12:20 AM

‎12-06-2002 12:20 AM

mount option suid

What does this option do? Is there documentation on it somewhere? Are there any security concerns around this option?
Don't fly off the handle when you are full of baloney...
0 Kudos
Reply
3 REPLIES 3
Tom Geudens
Honored Contributor

‎12-06-2002 12:38 AM

‎12-06-2002 12:38 AM

Re: mount option suid

Hi,
There's info in
#man 1m mount_vxfs

The way I understand it, you are not allowed to execute suid-scripts (present in that particular filesystem) if the "nosuid" option is used in mounting the filesystem. This would make sense for filesystems that are not "local" to the system (NFS-mounted for example).

Regards,
Tom
A life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎12-06-2002 01:01 AM

‎12-06-2002 01:01 AM

Re: mount option suid

Hi,

nosuid option is mainly for NFS security which
prohibits running any program with setuid in
NFS mount directory which if malicious can cause system to come to heels.

By default , suid is set for mounted filesysem

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
Wodisch
Honored Contributor

‎12-06-2002 06:02 AM

‎12-06-2002 06:02 AM

Re: mount option suid

Hi,

I would not restrict that option ("nosuid" actually!) to only "NFS" mounted filesystems, but to ALL filesystems, which are not under your complete control concerning codefiles/executables/scripts:
- temporary files
- data files
- databases
- file server files
- text/document files
- removable filesystems (floppies, MOs)

And mounting all those filesystems with "nosuid" just keeps everybody from createing (actually: from executing) SUID-programs, i.e. to start a program not under the UID of the starter but the owner of the file.
You'll only need the option "suid" for your root-filesystem, "/usr", and "opt", and possibly for a filesystem containing application codefiles/-scipts.

FWIW,
Wodisch
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.