new variable SUIDSKIP to exclude paths from setuid and device checks,

useful for example for release(8) DESTDIRs, ro-mounted foreign OS
partitions, nosuid+nodev-mounted backup areas and the like
while here, do not call ls w/o args in case find returns nothing
based on a patch from halex@, re-implemented by me; variable naming by jmc@
ok halex@ jmc@

1 files changed, 11 insertions, 2 deletions

diff --git a/share/man/man8/security.8 b/share/man/man8/security.8
index 7baed3a725a..8d701b8bed7 100644
--- a/share/man/man8/security.8
+++ b/share/man/man8/security.8
@@ -1,8 +1,8 @@
-.\" $OpenBSD: security.8,v 1.16 2009/05/20 22:46:48 schwarze Exp $
+.\" $OpenBSD: security.8,v 1.17 2009/05/24 22:25:12 schwarze Exp $
 .\"
 .\" David Leonard, 2001. Public Domain.
 .\"
-.Dd $Mdocdate: May 20 2009 $
+.Dd $Mdocdate: May 24 2009 $
 .Dt SECURITY 8
 .Os
 .Sh NAME
@@ -116,6 +116,15 @@ file permissions.
 The intent of the
 .Nm
 script is to point out some obvious holes to the system administrator.
+.Sh ENVIRONMENT
+The following variables can be set in
+.Pa /etc/daily.local :
+.Pp
+.Bl -tag -width "SUIDSKIP" -compact
+.It Ev SUIDSKIP
+A whitespace-separated list of absolute paths to be skipped
+in setuid/setgid file checks and in device special file checks.
+.El
 .Sh FILES
 .Bl -tag -width /dev/changelist -compact
 .It Pa /etc/changelist