Disabling SUID on automounted directories

In general, only the /usr partition on a UNIX box should allow the SUID bit. All other file systems should be mounted -nosuid if possible.

In an NIS environment, it is critical that users' /home directories and the /net file system do not allow the SUID bit.

Here are the default contents of /etc/auto_master in our Solaris environment:

# Master map for automounter
#
+auto_master
/net            -hosts          -nosuid,nobrowse
/home           auto_home       -nobrowse
/xfn            -xfn


Although /net and /home are listed in /etc/auto_master, this information is superseded by the auto_master NIS map; the +auto_master line instructs the automounter to get information first from the auto_master NIS map.

Here are the relevant entries from an the auto.master map:
egrep "/net|/home" auto.master
/home           auto.home               -rw,intr,noquota
/net            -hosts                  -intr,soft,timeo=10,retrans=9,noquota


In order to prevent /home and /net from allowing the SUID bit, we add -nosuid to the mount options:

/home           auto.home               -rw,intr,noquota,nosuid
/net            -hosts                  -intr,soft,timeo=10,retrans=9,noquota,nosuid

In order for the changes to take effect, (1) the auto_master map has to be pushed to the NIS slave servers, and (2) the automount command has to be run on each server in the NIS domain.

Back to brandonhutchinson.com.

Last modified: 03/26/2003