From owner-freebsd-arch Fri Jun 15 13: 4:20 2001 Delivered-To: freebsd-arch@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id CF4CE37B40B for ; Fri, 15 Jun 2001 13:04:13 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 44420 invoked by uid 1000); 15 Jun 2001 20:02:50 -0000 Date: Fri, 15 Jun 2001 23:02:50 +0300 From: Peter Pentchev To: Mike Smith Cc: arch@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: new kldpath(8): display/modify the module search path Message-ID: <20010615230249.V94445@ringworld.oblivion.bg> Mail-Followup-To: Mike Smith , arch@FreeBSD.ORG, audit@FreeBSD.ORG References: <20010615225012.T94445@ringworld.oblivion.bg> <200106152010.f5FKAoT01353@mass.dis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106152010.f5FKAoT01353@mass.dis.org>; from msmith@freebsd.org on Fri, Jun 15, 2001 at 01:10:50PM -0700 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jun 15, 2001 at 01:10:50PM -0700, Mike Smith wrote: > > > Don't check. > > > > Don't check what - don't check for a directory existence? > > This could lead to problems - theoretically at least, a startup > > script could add a not-yet-mounted directory, and then some > > user (who can see the contents of the kern.module_path sysctl) > > could mount his own directory there, and invoke a module load.. > > > > I know this is paranoid, but ldconfig already performs these > > checks, and ignores non-existent directories. It's true that > > ldconfig only makes the pass at invocation time, so it does > > not have to deal with the problem of adding a non-existent dir > > for future reference, but even so, ldconfig warns about the problem, > > which means kldpath/kldconfig should error out :) > > > > Or maybe I've misunderstood your "don't check" comment. > > If so, apologies for the wasted bandwidth :) > > IMO, ldconfig shouldn't check, and neither should kldconfig. However, my > principal encouragement here is to make kldconfig behave as much like > ldconfig as possible (where it makes sense), so yes, go ahead and check, > but don't be deluded into thinking this actually offers any real security. > > The kldload codepath should still be checking modules wrt. security. OK, after some more discussion on IRC, it seems that the "don't check" approach is best, with kldload-time checking. I'll think some more about it when I get home. Thanks to all thread participatns for the feedback, I'll be back! :) G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message