From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 21:30:44 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1982106566B; Thu, 29 Dec 2011 21:30:44 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 351528FC14; Thu, 29 Dec 2011 21:30:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTLUc8h072431; Fri, 30 Dec 2011 01:30:38 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTLUcAX072430; Fri, 30 Dec 2011 01:30:38 +0400 (MSK) (envelope-from ache) Date: Fri, 30 Dec 2011 01:30:38 +0400 From: Andrey Chernov To: John Baldwin Message-ID: <20111229213038.GA69220@vniz.net> Mail-Followup-To: Andrey Chernov , John Baldwin , d@delphij.net, freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net> <201112291617.05113.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201112291617.05113.jhb@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , d@delphij.net Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 21:30:44 -0000 On Thu, Dec 29, 2011 at 04:17:04PM -0500, John Baldwin wrote: > Presumably one could do a static ls. Even with the built-in ls we > create a dummy passwd/group file for the anonymous chroot by default. > I agree a built-in ls is strictly better, however. I would also be > fine with removing all notion of execv for helper programs from ftpd > and have it only ever use the built-in ls via ftpd_popen(). Don't think about our ftpd only. Other ones calls date(1), tar(1), etc. > However, > I do think that this mostly falls down to creating "safe" chroot / jail > areas rather than the OS being able to defend unsafe areas. I agree. We can describe safe way better in our documentation, but can't prevent foot shooting without penalty for "good" admins. Bad example is M$ Windows which tries to prevent foot shooting from _inside_ the system by greedy and annoying permanent antivirus monitoring. -- http://ache.vniz.net/