Date: Fri, 15 May 2020 08:14:38 -0500 From: Kyle Evans <kevans@freebsd.org> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: Alan Somers <asomers@freebsd.org>, "Julian H. Stacey" <jhs@berklix.com>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, "freebsd-hackers@freebsd.org" <hackers@freebsd.org> Subject: Re: [HEADSUP] Disallowing read() of a directory fd Message-ID: <CACNAnaFp2d1E%2B5Vz9qdf_hXqtpHTnx_gkNQvVLcfjwNCs4Jjzg@mail.gmail.com> In-Reply-To: <35501.1589529102@critter.freebsd.dk> References: <CACNAnaFszg%2BQWPRS0kghsnQMxXc%2B5niPTTNiUPSmK60YyBGCzA@mail.gmail.com> <202005142017.04EKH0aA093503@fire.js.berklix.net> <CAOtMX2i2Z-KX=3rYR2nZ1g1Lb_tF==H3xPKcQMBxJs1Kqr-meQ@mail.gmail.com> <33549.1589488226@critter.freebsd.dk> <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA@mail.gmail.com> <35501.1589529102@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 15, 2020 at 2:51 AM Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > > -------- > In message <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA@mail.gmail.com> > , Kyle Evans writes: > >On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > > >Can we explore the possibility of using fsdb(8) to fulfill these needs > >in a way that you'd be comfortable with? >> > Summary: I'm perfectly fine with read(2) returning error on a > directory *under normal circumstances*, and I think it makes good > sense by protecting a lot of terminals from a lot of binary > garbage. > > But there is absolutely no reason to make it *impossible* for > a competent root to do what competent roots do. > First, apologies if my previous message had offended you -- I didn't mean for this, but as you can tell I was not well-equipped to discuss the possibilities with a seasoned veteran such as yourself. I've prepared a patch locally to update the review that both hides it off behind security.bsd.allow_read_dir (default off) and restricts it to a new PRIV_VFS_READ_DIR that *is not* granted to jailed root. I know we've already discussed this to some extent, but can you confirm that these restrictions are reasonable and acceptable for you? I've tentatively placed it in the security.bsd.* namespace because it can and has had security implications, but I'm certainly not dead-set on it staying there. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFp2d1E%2B5Vz9qdf_hXqtpHTnx_gkNQvVLcfjwNCs4Jjzg>