From owner-svn-src-head@freebsd.org Sat Jan 26 01:23:42 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AE4014A9572; Sat, 26 Jan 2019 01:23:42 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 056F185A55; Sat, 26 Jan 2019 01:23:42 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: by mail-wm1-x336.google.com with SMTP id d15so8455072wmb.3; Fri, 25 Jan 2019 17:23:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=ft81Ft8sHbNIQ6uE4ckkrgDUcRbfBlly6hRTq7xttq4=; b=Z75mnV3riL7LmUKyOrpFAFv2IpAJfy/JgQzda0sim/B1WlDxEchcwJPRCQrSEEXVhz hRR8Imo/lNZgZE31XBYxdgheXo00e1/dExUR/6wdhacSjXu0ch7ygWUvc+eYhpd8C/dc klwPeiVPMlqRNJOI2duQZT8qX6juBEKXbo5Up26JN/dnXp5O3kJ6DlIPZdSakJHXnwKi vXFCyq7RgHxio6J1uyjUL7KtBD8AmwvB6K4CVIfNGuRLex5OFBsL+vkOqOf0ZAggMZy/ uQ6WmLhSipogVtHy9Dausmuy9Ob6QiTEdi4bJD9ss2T29yHeqW0UFSHrISHCDRqHfsJI yIIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=ft81Ft8sHbNIQ6uE4ckkrgDUcRbfBlly6hRTq7xttq4=; b=tazgozO97lcEgO/sh06PJyNXKYsurdO7vgdprZeMxK+BhtpJb85XX19Ndc2yLjwYdX Ct4dSA9VEOeHim48ncu3wOARQ5LeLCMW0cZ7ut+peIrPhj9ghvBZekQkh97w6S3lgdf9 UJ+YWUVuzA1MFyOJdiGlcb/tlzzgJblEH+dVgVJOEJaSGpYEN7cL8yNjTKM1tdH1gE5q iIYnjUHkZKulXvSOdQVPZPM/JKuYLJZjN6h3vlND7VbQLZI/8r/aXOuxgnC02UlKN9Ro ZZv606zH1QPB1rkBJtgS7fwUJ8E0m4m6TqZB53AluWkow2XVjZ0oQ6vK5AumiP9B9hgN y03g== X-Gm-Message-State: AJcUukel04qi7Z2CpsMCJHAg0LWV+psWwzAkASciTkwmQK/WywC1H5ti zTu1aU7P+0NDjf6EPAnUkU7c7cn+ X-Google-Smtp-Source: ALg8bN4v+ffyyWSMiN5wU08VXIZw2k1fZeITF4ayiv4EaOMGTXc9sUOzbMiz63rTMlYE09qaO54DYw== X-Received: by 2002:a1c:494:: with SMTP id 142mr8636259wme.111.1548465819296; Fri, 25 Jan 2019 17:23:39 -0800 (PST) Received: from v2 (cpc92302-cmbg19-2-0-cust461.5-4.cable.virginm.net. [82.1.209.206]) by smtp.gmail.com with ESMTPSA id w125sm70138530wmb.45.2019.01.25.17.23.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 25 Jan 2019 17:23:38 -0800 (PST) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Date: Fri, 25 Jan 2019 09:50:51 +0000 From: Edward Napierala To: Devin Teske Cc: rgrimes@freebsd.org, src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r343440 - head/bin/sh Message-ID: <20190125095051.GA26744@v2> Mail-Followup-To: Devin Teske , rgrimes@freebsd.org, src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201901251709.x0PH9Rc4094379@repo.freebsd.org> <201901251957.x0PJvdTL089917@pdx.rh.CN85.dnsmgr.net> <20190125082851.GA26199@v2> <1F038D39-8869-4220-A274-F6307A4264E2@FreeBSD.org> <20190125091334.GA26545@v2> <6DD219EC-C898-499E-BF58-AB653A7114DB@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6DD219EC-C898-499E-BF58-AB653A7114DB@FreeBSD.org> User-Agent: Mutt/1.11.2 (2019-01-07) X-Rspamd-Queue-Id: 056F185A55 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.995,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jan 2019 01:23:42 -0000 Excuse my brevity; I'll address the rest after getting some sleep, but I'd like to clarify one crucial thing. I think that's actually _the_ point where I screwed up: I didn't expect people to actually care for what I considered a cosmetic change, and I didn't realize the need to explain what this commit does _not_ affect. (And I've been reminded by rgrimes@ more than once that I should pay more attention to my commit messages. Oh well. Perhaps I'll learn this time.) On 0125T1647, Devin Teske wrote: > > > > On Jan 25, 2019, at 1:13 AM, Edward Napierala wrote: [..] > >>>> PS1 should have a reasonable default. If that default is not reasonable, then we should change the C code. > >>>> > >>>> Maybe I see things differently, but I'd rather see PS1 default change so no profile/shrc change is necessary. > >>> > >>> Thank you, that's actually a valid argument. I believe that's also what > >>> bash does. It would be more intrusive, though, and I kind of don't like > >>> the idea of hardcoding things that can easily be dealt with with in a more > >>> "high-level" way. > >>> > >>>> I prefer that sh, in its default configuration, not attempt to read $HOME/.shrc, for security reasons. > >>> > >>> Can you elaborate? It already reads $HOME/.profile; how is $HOME/.shrc > >>> different? > >> > >> If you read "The Cuckoo's Egg" by Clifford Stoll, you'll understand the importance of "one place to exploit versus two." > >> > >> (situation) > >> > >> Say you've been running FreeBSD for 20 years (it turned 25 years old last year, so this is not only possible, but plausible). > >> You know all the areas of interest where an attacker could inject code. > >> You take care to lock down each one. > >> But come to your surprise ... > >> > >> (hypothetical) > >> > >> 6 months after you upgraded from 11.2 to the latest 12.x, you find that you didn't take into account that $HOME/.profile (which you perhaps locked down with a "chflags" command) now branches out to a new file which you've never taken steps to lock down, keep an eye on, or audit (e.g., by using DTrace remote-logging, tripwire, or other means). You only found out 6 months after the upgrade because someone exploited it. At that point, the security event has already occurred. > >> > >> When I worked at "the banks" shit like this was always on our radar. Changes like this were often cited for the reason why one bank moved to BoKs for security. > > > > The change we're discussing doesn't affect upgrades at all - it's only > > for new installs. > > mergemaster, iirc, will merge in changes to etc files after an upgrade. > So this would effect anybody that goes through an upgrade and performs mergemaster. No, it won't - it doesn't affect files in /etc at all. It doesn't affect stuff that's being installed by mergemaster(8), nor stuff installed by 'make install'. It only affects the default /root/.profile and /root/.shrc, as installed by bsdinstall(8) or shipped as VM or SD card images. [..] > > And it doesn't affect root by default, you > > need to change their shell from csh(1) to sh(1). > > By your own commit messages admission, this is for the toor account, so it does affect a user (and as you were keen to point out, users with the default shell). Yes, but it only affects the toor account for new installs, and the account is locked by default.