From owner-freebsd-arch Wed Jul 26 19:36:18 2000 Delivered-To: freebsd-arch@freebsd.org Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74]) by hub.freebsd.org (Postfix) with ESMTP id BD2B737B6DF; Wed, 26 Jul 2000 19:36:14 -0700 (PDT) (envelope-from jdp@polstra.com) Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13]) by wall.polstra.com (8.9.3/8.9.3) with ESMTP id TAA24105; Wed, 26 Jul 2000 19:36:14 -0700 (PDT) (envelope-from jdp@polstra.com) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Wed, 26 Jul 2000 19:36:13 -0700 (PDT) Organization: Polstra & Co., Inc. From: John Polstra To: arch@freebsd.org Subject: How much security should ldconfig enforce? Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am building a bike shed, and I was wondering if you could advise me about what color it should be. :-) Just kidding -- this is about ldconfig. Last night I committed some security-related changes that somebody submitted to me. The changes make ldconfig refuse to pay attention to directories which are world-writable or not owned by root. In the commit message I also stated a desire to strengthen it further by disallowing group-writable directories. One committer wrote to me and said he didn't like that last idea. His reason was that in some scenarios multiple developers might want to collaborate in such a way that any of them could add shared libraries to certain directories which were writable by their common group. He went on to say that even the changes I already committed seemed a bit too strict, and that if a user wants to run an insecure machine for some reason then ldconfig shouldn't take away the sword he wishes to fall upon. I am sympathetic to these points and am ambivalent about how strict ldconfig ought to be. Here are some different behaviors it could be made to have: 1. It could allow anything, just like it did before I made my commit. 2. It could strictly enforce secure ownerships, groups, and permissions -- i.e., keep last night's commit and add group writability checking too. 3. It could default to strictly secure but accept a command-line option to relax the constraints. And an rc.conf knob could be added to control whether or not it was strict at boot time. What do you folks think about this? John -- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Disappointment is a good sign of basic intelligence." -- Chögyam Trungpa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message