From owner-freebsd-stable@FreeBSD.ORG  Sun Dec 23 15:51:32 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id C104D578;
 Sun, 23 Dec 2012 15:51:32 +0000 (UTC)
 (envelope-from mi+thun@aldan.algebra.com)
Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net
 [207.172.157.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 5D8AC8FC13;
 Sun, 23 Dec 2012 15:51:32 +0000 (UTC)
Received: from mr17.lnh.mail.rcn.net ([207.172.157.37])
 by smtp02.lnh.mail.rcn.net with ESMTP; 23 Dec 2012 10:51:25 -0500
Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11])
 by mr17.lnh.mail.rcn.net (MOS 4.3.4-GA) with ESMTP id BVU69832;
 Sun, 23 Dec 2012 10:51:24 -0500
X-Auth-ID: anat
Received: from pool-173-70-92-11.nwrknj.fios.verizon.net (HELO [192.168.1.8])
 ([173.70.92.11])
 by smtp01.lnh.mail.rcn.net with ESMTP; 23 Dec 2012 10:51:24 -0500
Message-ID: <50D7287C.7020802@aldan.algebra.com>
Date: Sun, 23 Dec 2012 10:51:24 -0500
From: "Mikhail T." <mi+thun@aldan.algebra.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:14.0) Gecko/20120820 Thunderbird/14.0
MIME-Version: 1.0
To: brooks@freebsd.org
Subject: What is "negative group permissions"? (Re: narawntapu security run
 output)
References: <201212230805.qBN850Pj083122@narawntapu.narawntapu>
In-Reply-To: <201212230805.qBN850Pj083122@narawntapu.narawntapu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: stable@FreeBSD.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Dec 2012 15:51:32 -0000

On 23.12.2012 03:05, Charlie Root wrote:
> Checking negative group permissions:
>   8903027 -rw--w-r--  1 mi    www    794277 Oct 23 07:47:45 2007 /home/mi/public_html/syb/order/download.log
Hello!

The above started to appear in the daily security run output after I 
upgraded to 9.1. I don't understand, what this check is doing or why the 
above file is reported -- what's abnormal (warning-worthy) about 
allowing the web-server to write to, but not read a file? I did it on 
purpose to keep all files associated with a project together, but 
without inadvertently serving some of them...

The actual script generating this warning (110.neggrpperm) was added in 
2010 and meant to be off by default. There is no explicit mention of the 
knob daily_status_security_neggrpperm_enable in the log for 
etc/defaults/periodic.conf...

I understand, I can explicitly disable it, but I'm curious... Whether it 
should run by default or not, what is the purpose of it?

Thanks,

    -mi