From owner-freebsd-current@FreeBSD.ORG Sun Sep 22 19:29:28 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 82BBB7BE; Sun, 22 Sep 2013 19:29:28 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E9BFC21B4; Sun, 22 Sep 2013 19:29:27 +0000 (UTC) Received: by mail-wi0-f178.google.com with SMTP id hn9so1452478wib.11 for ; Sun, 22 Sep 2013 12:29:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=fvnvTnjtITtZczrw1DCR/sPFfoAIiGmkMTWvzaSs9Tg=; b=RmhgNIrQ3ZW70214oL5lzDQHn7GGDaOTcjzmRCRy3QdYuZ+q8OmjbE4StEyTJu3AwR TU1K2cuAclAi8pQAvpUcm4B5nkgYYJnI8axtkRQ65ERqmXz07Sm9LWl8UZWe5jvvXzom iDCZjAzsHZpBgpmzfm2tzZMRQnhRsQUCiPnGrhPWnQRKwaACVJFKjCVjCCR87kzGf3CG TfL02MwdHUHO1DRK33LhM0Rhsc7tVaheJH8/mSor1z2jK5aDtLWgWf26KULNCFlDvjb7 x5MQdA+qcwYKLCFRJliHKN5OC6xZu2Bnbk8++rDO0XJEKLxe2fSlWvuQ9KxMGyRTPnN1 iAFA== X-Received: by 10.180.88.71 with SMTP id be7mr10552413wib.25.1379878166395; Sun, 22 Sep 2013 12:29:26 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id b11sm20268263wik.1.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sun, 22 Sep 2013 12:29:25 -0700 (PDT) Date: Sun, 22 Sep 2013 21:29:20 +0200 From: Mateusz Guzik To: Ian Lepore Subject: Re: exec on /usr/src? Message-ID: <20130922192920.GA7873@dft-labs.eu> Mail-Followup-To: Mateusz Guzik , Ian Lepore , Larry Rosenman , Freebsd current References: <4fba59fe23c1e48e95548e377d8ff368@webmail.lerctr.org> <1379864515.1197.102.camel@revolution.hippie.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1379864515.1197.102.camel@revolution.hippie.lan> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Freebsd current , Larry Rosenman X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Sep 2013 19:29:28 -0000 On Sun, Sep 22, 2013 at 09:41:55AM -0600, Ian Lepore wrote: > On Sun, 2013-09-22 at 09:37 -0500, Larry Rosenman wrote: > > Is it intended that we need to set exec=on for /usr/src after the > > include/mk-osreldate.sh addition? > > > > > > Are you saying you have /usr/src mounted with the noexec option and > that's preventing the script from running? The mount manpage says that > you may still run scripts from a noexec mount, but maybe that's > outdated. > I'm pretty sure this it tries to say that if there is a script on a noexec fs, you still can run it just like you did in your patch. While such a way to "bypass" noexec for scripts seems obvious, I guess it makes sense to document it so that noone does 'sh/python/perl foo' and claims a vulnerability was discovered (it would be impossible to "fix" this anyway). -- Mateusz Guzik