Should we add
/opt/ nosuid/usr/local/opt nosuid
?
Rationale for /opt is that some manually installed software installs itself to /opt. Some lesser important functionality might require suid or sgid. The suid/sgid bit might have been accidentally set by a developer. (Or part of legacy install scripts. Useful in past, then forgotten, now obsolete.) Removal of suid / sgid might in many cases go unnoticed by the user. (In cases where that software is run as root anyhow.)
On the other hand, the /opt folder is empty on a default Debian (based) installation. One could argue if the (super) admin installs files there it should be honored by the system and kept unobstructed.
I guess it depends if (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? would re-mount /opt with nosuid anyhow?
Other folders where suid binaries might end up?
-
/home?
But adding that I guess would be excessive because:
- Will be covered by (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? anyhow which will be a better solution.
- Avoid long scan times during boot.
- Requires root anyhow to create root owned suid binaries. System administrator shouldn’t create root owned suid binaries in home folder anyhow.
Also /root? Depends on outcome of this post SUID Disabler and Permission Hardener - #65 by Patrick - A) vs B).
Others:
-
/mnt? -
/media? - Any others?