Date: Mon, 24 Dec 2012 09:57:36 -0500 From: "Mikhail T." <mi+thun@aldan.algebra.com> To: Chris Rees <crees@FreeBSD.org> Cc: Barney Wolff <barney@databus.com>, stable@freebsd.org Subject: Re: What is "negative group permissions"? (Re: narawntapu security run output) Message-ID: <50D86D60.2060506@aldan.algebra.com> In-Reply-To: <CADLo83-iEdD8C=K7qc6_V4CUA=edcOD91Ywz1Tb286wiMyQJLw@mail.gmail.com> References: <201212230805.qBN850Pj083122@narawntapu.narawntapu> <50D7287C.7020802@aldan.algebra.com> <20121223162332.GA38788@pit.databus.com> <CADLo83-iEdD8C=K7qc6_V4CUA=edcOD91Ywz1Tb286wiMyQJLw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23.12.2012 11:48, Chris Rees wrote: > They involve a lot of thought to get right, as well as chmod g-w on > something where you probably meant chmod go-w is a disastrous but > (perhaps) common error. Chris Well, in (over 20) years of dealing with Unix, I've never made a mistake like that, nor do I understand, how it can be considered "common" ... Got to admit, I was surprised to see it. It made me think, I do not understand something -- or that FreeBSD is becoming overly paternalistic. It turned out to be the latter... I doubt, it is useful. Worse, issuing such warnings routinely, only reinforces the unfortunate misconceptions like the one Barney demonstrated in this thread. When originally added, the check was meant to be off by default: r215213 | brooks | 2010-11-12 19:40:43 -0500 (ΠΤ, 12 ΜΙΣ 2010) | 7 lines Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week perhaps, it should have remained off? Yours, -mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50D86D60.2060506>