Date: Mon, 24 Dec 2012 09:57:36 -0500 From: "Mikhail T." <mi+thun@aldan.algebra.com> To: Chris Rees <crees@FreeBSD.org> Cc: Barney Wolff <barney@databus.com>, stable@freebsd.org Subject: Re: What is "negative group permissions"? (Re: narawntapu security run output) Message-ID: <50D86D60.2060506@aldan.algebra.com> In-Reply-To: <CADLo83-iEdD8C=K7qc6_V4CUA=edcOD91Ywz1Tb286wiMyQJLw@mail.gmail.com> References: <201212230805.qBN850Pj083122@narawntapu.narawntapu> <50D7287C.7020802@aldan.algebra.com> <20121223162332.GA38788@pit.databus.com> <CADLo83-iEdD8C=K7qc6_V4CUA=edcOD91Ywz1Tb286wiMyQJLw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23.12.2012 11:48, Chris Rees wrote:
> They involve a lot of thought to get right, as well as chmod g-w on
> something where you probably meant chmod go-w is a disastrous but
> (perhaps) common error. Chris
Well, in (over 20) years of dealing with Unix, I've never made a mistake
like that, nor do I understand, how it can be considered "common" ...
Got to admit, I was surprised to see it. It made me think, I do not
understand something -- or that FreeBSD is becoming overly
paternalistic. It turned out to be the latter...
I doubt, it is useful. Worse, issuing such warnings routinely, only
reinforces the unfortunate misconceptions like the one Barney
demonstrated in this thread. When originally added, the check was meant
to be off by default:
r215213 | brooks | 2010-11-12 19:40:43 -0500 (ΠΤ, 12 ΜΙΣ 2010) | 7 lines
Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.
MFC after: 1 week
perhaps, it should have remained off? Yours,
-mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50D86D60.2060506>