Open celskeggs opened 7 years ago
Scripts also has yum post-actions to preserve these changes on package upgrades. On Debian, you’d do this with dpkg-statoverride.
Or, you can mount the entire filesystem with the nosuid
option, which neuters setuid, setgid, and fscaps globally. You can then whitelist individual binaries if needed by bind-mounting them onto themselves with the suid
option (but really, you can probably just live without ping
as non-root).
su: You should never need to gain root on a node. other binaries: let's maximally avoid privilege escalation. ping: maybe keep this one.