On Mon, 26 Mar 2001, Corvin Russell wrote:
I have run harden_suse on my box, and answered "yes" to all its prompts. The following files are still suid/sgid: do all of them need to be?
<snip>
+ -rwsr-x--- 1 root audio 14880 Mar 22 05:34 /bin/eject + -rwsr-xr-x 1 root root 67236 Mar 22 03:51 /bin/mount <sniiiiip>
Nope. At a quick look, mount only needs to be if a user is to be allowed to mount floppies and cds, eject ditto for ejecting them via software. Have a look at the PERMISSION_SECURITY setting in /etc/rc.config That can be set to, for instance "paranoid local" if you, really, really want to block things, but even "secure local" will block mount and eject. I don't honestly know whether harden_suse works independently of this setting, or whether it works based on the files generated by setting that variable - either way, you'll need to set it. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 When in fear, System administrator Fax: (+47) 555-89672 and when in doubt: Math. Department Mobile: (+47) 918 68075 Run in circles, University of Bergen VIP: 81724 scream and shout. system@mi.uib.no Email: bjornts@mi.uib.no