Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Jan 2013 15:40:35 -0800
From:      Peter Wemm <peter@wemm.org>
To:        Brooks Davis <brooks@freebsd.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r245316 - in head: . etc
Message-ID:  <CAGE5yCqapA_hG7L9xTPdm4p1jQDUF0NMmExaOgMYActx15_8_Q@mail.gmail.com>
In-Reply-To: <CAGE5yCrgJ9qcdYD6RwpGQYtyTQ-FignBHC5W79bo3s7syP-Yvg@mail.gmail.com>
References:  <201301112308.r0BN8JP4093605@svn.freebsd.org> <CAGE5yCrgJ9qcdYD6RwpGQYtyTQ-FignBHC5W79bo3s7syP-Yvg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jan 11, 2013 at 3:19 PM, Peter Wemm <peter@wemm.org> wrote:
> On Fri, Jan 11, 2013 at 3:08 PM, Brooks Davis <brooks@freebsd.org> wrote:
>
>> -IMAKE=         ${IMAKEENV} ${MAKE} -f Makefile.inc1
>> +IMAKE=         ${IMAKEENV} ${MAKE} -f Makefile.inc1 \
>> +               INSTALL="install -N ${.CURDIR}/etc" \
>> +               MTREE_CMD="nmtree -N ${.CURDIR}/etc"
>
> How does this work with worlds with different UID/GID assignments?
> Eg: the freebsd.org cluster?
>
> ${.CURDIR}/etc/master.passwd does not match the installed system.

Case in point, the freebsd.org cluster has used postfix before
sendmail gained its privilege separation.  We had:
postfix:*:25:postfix
postdrop:*:26:
.. long before sendmail added:
smmsp:*:25:
mailnull:*:26:

On an existing machine we have:
-r-xr-sr-x  1 root  smmsp  719336 Jan  6 15:13 /usr/libexec/sendmail/sendmail

But on the freebsd.org machines that have machines dating back to
1998, this change would cause:
-r-xr-sr-x  1 root  postfix  719336 Jan  6 15:13 /usr/libexec/sendmail/sendmail

With a silent change like that, if the admin doesn't notice.. who can
tell what would happen?  Silently giving sendmail setgid access to
another subsystem's gid is.. just POLA violation at every conceivable
level and potentially dangerous.

These tools from netbsd were meant for cross compiling.. ie: when DESTDIR != /.

-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
bitcoin:188ZjyYLFJiEheQZw4UtU27e2FMLmuRBUE

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGE5yCqapA_hG7L9xTPdm4p1jQDUF0NMmExaOgMYActx15_8_Q>