Date: Fri, 15 Jun 2001 16:04:18 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Mike Smith <msmith@freebsd.org> Cc: Peter Pentchev <roam@orbitel.bg>, arch@freebsd.org, audit@freebsd.org Subject: Re: new kldpath(8): display/modify the module search path Message-ID: <Pine.NEB.3.96L.1010615160106.47461K-100000@fledge.watson.org> In-Reply-To: <200106152010.f5FKAoT01353@mass.dis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 15 Jun 2001, Mike Smith wrote: > IMO, ldconfig shouldn't check, and neither should kldconfig. However, > my principal encouragement here is to make kldconfig behave as much like > ldconfig as possible (where it makes sense), so yes, go ahead and check, > but don't be deluded into thinking this actually offers any real > security. My feeling here is that UNIX is about letting people shoot themselves in the feet--or alternatively, not hard-coding policy when we don't know everything about the environments where it will be used. I'd prefer we: 1) Ship with only secure directories are in the kernel and library paths. 2) Modify the daily security script to detect when that's not the case. 3) Un-modify ldconfig to perform the check, and not make similar kld tools do the check. It's a bit like all of the following: 1) We let people add stuff to LD_LIBRARY_PATH if they want. 2) We let people add stuff to their normal path if they want. 3) We let people put /bin/sh in an inetd.conf line if they want. 4) We let people put null password entries in the file, have multiple users with uid 0, ... We just don't do this by default, and in many cases provide warnings. Once we support MAC, then we can provide a twiddle that will allow the admin to mandatorily *prevent* users from doing stupid things. But having partial hacks everywhere that implement a tiny fraction of anything useful just unnecessarily breaks things in unexpected ways. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010615160106.47461K-100000>