From owner-freebsd-arch@FreeBSD.ORG  Thu Mar 25 05:52:36 2004
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6ECE816A4CF; Thu, 25 Mar 2004 05:52:36 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 156EE43D31; Thu, 25 Mar 2004 05:52:36 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i2PDoOxC053135;
	Thu, 25 Mar 2004 08:50:24 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i2PDoJv0053130;
	Thu, 25 Mar 2004 08:50:19 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 25 Mar 2004 08:50:18 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
In-Reply-To: <20040325123554.GZ8930@darkness.comp.waw.pl>
Message-ID: <Pine.NEB.3.96L.1040325084920.52837E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-arch@FreeBSD.org
Subject: Re: SUIDDIR -> security.bsd.suiddir_enable.
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion related to FreeBSD architecture
	<freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2004 13:52:36 -0000


On Thu, 25 Mar 2004, Pawel Jakub Dawidek wrote:

> On Thu, Mar 25, 2004 at 11:06:38PM +1100, Bruce Evans wrote:
> +> On Thu, 25 Mar 2004, Pawel Jakub Dawidek wrote:
> +> 
> +> > Any objection on such exchange?
> +> >
> +> > In p4 pjd_suiddir branch I've a code that replace SUIDDIR kernel option
> +> > with sysctl security.bsd.suiddir_enable sysctl with is turned off by
> +> > default. SUIDDIR option is not removed, but it means now: turn on suiddir
> +> > functionality by default.
> +> 
> +> Using SUIDDIR is controlled by the MNT_SUIDDIR mount option, so there
> +> shouldn't be another knob to control it.  If there is a security problem
> +> using MNT_SUIDDIR, then MNT_SUIDDIR should be disallowed up front so
> +> that that all the places that implement SUIDDIR don't have to test
> +> both knobs.
> 
> First of all this adds 0 overhead.  And I think there is a need for
> additional level of security for such functionality, but I see no reason
> to force people to recompile kernel. 

Actually, I think what Bruce is actually saying is that the MNT_SUIDDIR
mount option should be sufficient without a sysctl, if we really think
suiddir is safe to use, rather than offering a global disable off by
default.  So the question really becomes "do we want to use recompilation
as a hurdle to discourage use of this feature"...

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research