Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Mar 2004 13:35:54 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Bruce Evans <bde@zeta.org.au>
Cc:        freebsd-arch@freebsd.org
Subject:   Re: SUIDDIR -> security.bsd.suiddir_enable.
Message-ID:  <20040325123554.GZ8930@darkness.comp.waw.pl>
In-Reply-To: <20040325225342.D36800@gamplex.bde.org>
References:  <20040324235120.GU8930@darkness.comp.waw.pl> <20040325225342.D36800@gamplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--6CpFlezhW0MxRmxw
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 25, 2004 at 11:06:38PM +1100, Bruce Evans wrote:
+> On Thu, 25 Mar 2004, Pawel Jakub Dawidek wrote:
+>=20
+> > Any objection on such exchange?
+> >
+> > In p4 pjd_suiddir branch I've a code that replace SUIDDIR kernel option
+> > with sysctl security.bsd.suiddir_enable sysctl with is turned off by
+> > default. SUIDDIR option is not removed, but it means now: turn on suid=
dir
+> > functionality by default.
+>=20
+> Using SUIDDIR is controlled by the MNT_SUIDDIR mount option, so there
+> shouldn't be another knob to control it.  If there is a security problem
+> using MNT_SUIDDIR, then MNT_SUIDDIR should be disallowed up front so
+> that that all the places that implement SUIDDIR don't have to test
+> both knobs.

First of all this adds 0 overhead.
And I think there is a need for additional level of security for such
functionality, but I see no reason to force people to recompile kernel.

--=20
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd@FreeBSD.org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!

--6CpFlezhW0MxRmxw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAYtIqForvXbEpPzQRAtMlAKDccfUxz8WfXLXZ5pbOgmyvDe8z2QCg99LU
hVK7fpNLCUsiRpS/sRUVh9w=
=PToh
-----END PGP SIGNATURE-----

--6CpFlezhW0MxRmxw--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040325123554.GZ8930>