From owner-freebsd-audit  Fri Jun 15 13: 0:22 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from mass.dis.org (mass.dis.org [216.240.45.41])
	by hub.freebsd.org (Postfix) with ESMTP
	id AEE9337B40C; Fri, 15 Jun 2001 13:00:01 -0700 (PDT)
	(envelope-from msmith@mass.dis.org)
Received: from mass.dis.org (localhost [127.0.0.1])
	by mass.dis.org (8.11.3/8.11.3) with ESMTP id f5FKAoT01353;
	Fri, 15 Jun 2001 13:10:51 -0700 (PDT)
	(envelope-from msmith@mass.dis.org)
Message-Id: <200106152010.f5FKAoT01353@mass.dis.org>
X-Mailer: exmh version 2.1.1 10/15/1999
To: Peter Pentchev <roam@orbitel.bg>
Cc: arch@FreeBSD.ORG, audit@FreeBSD.ORG
Subject: Re: new kldpath(8): display/modify the module search path 
In-reply-to: Your message of "Fri, 15 Jun 2001 22:50:12 +0300."
             <20010615225012.T94445@ringworld.oblivion.bg> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 15 Jun 2001 13:10:50 -0700
From: Mike Smith <msmith@freebsd.org>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

> > Don't check.
> 
> Don't check what - don't check for a directory existence?
> This could lead to problems - theoretically at least, a startup
> script could add a not-yet-mounted directory, and then some
> user (who can see the contents of the kern.module_path sysctl)
> could mount his own directory there, and invoke a module load..
> 
> I know this is paranoid, but ldconfig already performs these
> checks, and ignores non-existent directories.  It's true that
> ldconfig only makes the pass at invocation time, so it does
> not have to deal with the problem of adding a non-existent dir
> for future reference, but even so, ldconfig warns about the problem,
> which means kldpath/kldconfig should error out :)
> 
> Or maybe I've misunderstood your "don't check" comment.
> If so, apologies for the wasted bandwidth :)

IMO, ldconfig shouldn't check, and neither should kldconfig.  However, my 
principal encouragement here is to make kldconfig behave as much like 
ldconfig as possible (where it makes sense), so yes, go ahead and check, 
but don't be deluded into thinking this actually offers any real security.

The kldload codepath should still be checking modules wrt. security.

-- 
... every activity meets with opposition, everyone who acts has his
rivals and unfortunately opponents also.  But not because people want
to be opponents, rather because the tasks and relationships force
people to take different points of view.  [Dr. Fritz Todt]
           V I C T O R Y   N O T   V E N G E A N C E



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message