Date: Thu, 25 Mar 2004 13:35:54 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Bruce Evans <bde@zeta.org.au> Cc: freebsd-arch@freebsd.org Subject: Re: SUIDDIR -> security.bsd.suiddir_enable. Message-ID: <20040325123554.GZ8930@darkness.comp.waw.pl> In-Reply-To: <20040325225342.D36800@gamplex.bde.org> References: <20040324235120.GU8930@darkness.comp.waw.pl> <20040325225342.D36800@gamplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--6CpFlezhW0MxRmxw Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 25, 2004 at 11:06:38PM +1100, Bruce Evans wrote: +> On Thu, 25 Mar 2004, Pawel Jakub Dawidek wrote: +>=20 +> > Any objection on such exchange? +> > +> > In p4 pjd_suiddir branch I've a code that replace SUIDDIR kernel option +> > with sysctl security.bsd.suiddir_enable sysctl with is turned off by +> > default. SUIDDIR option is not removed, but it means now: turn on suid= dir +> > functionality by default. +>=20 +> Using SUIDDIR is controlled by the MNT_SUIDDIR mount option, so there +> shouldn't be another knob to control it. If there is a security problem +> using MNT_SUIDDIR, then MNT_SUIDDIR should be disallowed up front so +> that that all the places that implement SUIDDIR don't have to test +> both knobs. First of all this adds 0 overhead. And I think there is a need for additional level of security for such functionality, but I see no reason to force people to recompile kernel. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --6CpFlezhW0MxRmxw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAYtIqForvXbEpPzQRAtMlAKDccfUxz8WfXLXZ5pbOgmyvDe8z2QCg99LU hVK7fpNLCUsiRpS/sRUVh9w= =PToh -----END PGP SIGNATURE----- --6CpFlezhW0MxRmxw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040325123554.GZ8930>