Date: Thu, 21 Oct 2010 20:08:48 +0200 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= <uqs@spoerlein.net> To: Brooks Davis <brooks@freebsd.org> Cc: hackers@freebsd.org Subject: Re: negative permission scanner for periodic/security Message-ID: <20101021180848.GE19295@acme.spoerlein.net> In-Reply-To: <20101014202323.GD42797@lor.one-eyed-alien.net> References: <20101014202323.GD42797@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14.10.2010 at 15:23:23 -0500, Brooks Davis wrote: > One of the side effects of increasing NGROUPS_MAX is that it's possible > for a process to be in more groups that can be transmitted over NFS > (<4). When that happens users are mostly denied access to things they > should have access to. However, permission evaluation order in unix > means that groups can be denied access to files the world can read using > so called negative permissions. I've written a scanner (derived from > 100.chksetuid) for the periodic security script to flag such files as > they post a security risk (and nearly all the time are errors). I've > not bothered looking for negative user permissions as that isn't broken > over NFS and assuming the file is not on a read-only FS the user can > just give theselves permissions again. > > One minor note: Before enabling this by default, ~6 files in the ports > repo need fixing as they have world execute bits without user or group > execute bits. > > Should this be enabled by default? It think so, but welcome discussion. I'm with you, but a couple of points to note: - Many admins won't be familiar with this problem and might not go as far as reading the periodic manpage for an explanation. Perhaps another paragraph could be emitted -- iff we have a hit -- that explains why periodic is checking the permissions. - ufs,zfs is hardcoded, can't we get this list from somewhere else? We support NFS exports of ext2fs filesystems, right? - Not a problem for sane setups, but somewhere out there is a machine where the resulting list might be several MB large. We currently don't restrict the periodic mail to a certain size, perhaps we should start doing this to avoid mailbox/mail system overflow? Regards, Uli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101021180848.GE19295>