[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
can I file sweep / and exclude full pathnames?
From: |
Nate Campi |
Subject: |
can I file sweep / and exclude full pathnames? |
Date: |
Sat, 28 Dec 2002 12:04:05 -0800 |
User-agent: |
Mutt/1.3.28i |
How come I can't do this:
files:
/
filter=rootownedfiles
mode=-4000 # no SUID for rootownedfiles
recurse=inf
action=fixall
inform=true
exclude=/bin/su
exclude=/usr/lib/pt_chown
exclude=/usr/bin/crontab
exclude=/usr/sbin/traceroute
exclude=/usr/sbin/fping
exclude=/usr/bin/passwd
exclude=/usr/bin/su
exclude=/usr/bin/at
exclude=/usr/bin/sudo
exclude=/usr/bin/rsh
exclude=/usr/sbin/postdrop
exclude=/usr/sbin/postqueue
syslog=on
...instead I have to do this:
files:
/usr/bin
filter=rootownedfiles
mode=-4000 # no SUID for rootownedfiles
recurse=inf
action=fixall
inform=true
exclude=crontab
exclude=passwd
exclude=su
exclude=at
exclude=sudo
exclude=rsh
syslog=on
/usr/sbin
filter=rootownedfiles
mode=-4000 # no SUID for rootownedfiles
recurse=inf
action=fixall
inform=true
exclude=traceroute
exclude=fping
syslog=on
I'd like cfengine to sweep the entire filesystem in one shot, but don't
want to globally allow any file named sudo or su or crontab in any
directory to have the SUID bit set. Is there a simple way to do it like
in the first (non-working) example?
Of course I can do it with a lot of excludes and a lot of smaller sweeps
of chunks of the filesystem, but I'd like to keep it simple.
TIA
--
Nate Campi http://www.campin.net
One of the main causes of the fall of the Roman Empire was that,
lacking zero, they had no way to indicate successful termination of
their C Programs.
- can I file sweep / and exclude full pathnames?,
Nate Campi <=