From owner-freebsd-arch Thu Jul 27 8:15:42 2000 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0AB7837BA89 for ; Thu, 27 Jul 2000 08:15:39 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA93314; Thu, 27 Jul 2000 11:14:56 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jul 2000 11:14:55 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Jacques A. Vidrine" Cc: John Polstra , arch@freebsd.org Subject: Re: How much security should ldconfig enforce? In-Reply-To: <20000727075027.C8974@hamlet.nectar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 27 Jul 2000, Jacques A. Vidrine wrote: > On Wed, Jul 26, 2000 at 07:36:13PM -0700, John Polstra wrote: > > 3. It could default to strictly secure but accept a command-line > > option to relax the constraints. And an rc.conf knob could be added > > to control whether or not it was strict at boot time. > > I like this option, but the knob should be compile-time, IMHO. I would support either the "revert" or (3) option, but definitely not support this being a compile-time flag. I should not have to recompile the operating system to allow our netsec group to have a /netsec/lib with different maintainers for different operating systems. Especially in NFS environments, placing requirements on permissions and ownership for directories is a very poor idea. In general, the UNIX mechanism has been to implement tools, but not policies, for which we already have quite a sufficient discretionary access control mechanism. In general, we don't check permissions on the /etc directory, we assume that it is set correctly during the install, and that if the user wants to change it, that is their perogative. The same goes for group files, etc. In the future, once we have a mandatory access control policy, integrity protection can be used to protect users from shared libraries of low integrity. So my preference here is: permissions and ownership in the base install are fine. The default compile (and preferably install) should allow users to include group-writable shared library paths, if not world-writable paths. Consider our adduser implementation: each user is in their own group anyway :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message