From owner-freebsd-hackers@FreeBSD.ORG Thu Oct 21 18:08:49 2010 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF44C106566B; Thu, 21 Oct 2010 18:08:49 +0000 (UTC) (envelope-from uqs@spoerlein.net) Received: from acme.spoerlein.net (acme.spoerlein.net [IPv6:2001:470:9a47::1]) by mx1.freebsd.org (Postfix) with ESMTP id 6AAEC8FC22; Thu, 21 Oct 2010 18:08:49 +0000 (UTC) Received: from acme.spoerlein.net (localhost.spoerlein.net [IPv6:::1]) by acme.spoerlein.net (8.14.4/8.14.4) with ESMTP id o9LI8m2O071613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 21 Oct 2010 20:08:48 +0200 (CEST) (envelope-from uqs@spoerlein.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=spoerlein.net; s=dkim200908; t=1287684528; bh=DM2/cUQfrjP/cS2yPZcKKVIPc7l8trIqGOJhAzxfjnc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=cNcJPafy6NjXvvi2g26Oh4dLGcg+KQorhymr0cIRI1fztZ0R8t2FSO1WnUlqR45tk ij1qJkdZ4+3Ll1fby1XB4TaqMP+uRQykH8yFmPKzYpSYRFf+7rOgRQDDvM65jmuA8+ MCeuFLgsxNiF9J2Q1jCxa3PT0vv2Rgopup+JmH1w= Received: (from uqs@localhost) by acme.spoerlein.net (8.14.4/8.14.4/Submit) id o9LI8m6Y071612; Thu, 21 Oct 2010 20:08:48 +0200 (CEST) (envelope-from uqs@spoerlein.net) Date: Thu, 21 Oct 2010 20:08:48 +0200 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= To: Brooks Davis Message-ID: <20101021180848.GE19295@acme.spoerlein.net> Mail-Followup-To: Brooks Davis , hackers@freebsd.org References: <20101014202323.GD42797@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101014202323.GD42797@lor.one-eyed-alien.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: hackers@freebsd.org Subject: Re: negative permission scanner for periodic/security X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2010 18:08:50 -0000 On Thu, 14.10.2010 at 15:23:23 -0500, Brooks Davis wrote: > One of the side effects of increasing NGROUPS_MAX is that it's possible > for a process to be in more groups that can be transmitted over NFS > (<4). When that happens users are mostly denied access to things they > should have access to. However, permission evaluation order in unix > means that groups can be denied access to files the world can read using > so called negative permissions. I've written a scanner (derived from > 100.chksetuid) for the periodic security script to flag such files as > they post a security risk (and nearly all the time are errors). I've > not bothered looking for negative user permissions as that isn't broken > over NFS and assuming the file is not on a read-only FS the user can > just give theselves permissions again. > > One minor note: Before enabling this by default, ~6 files in the ports > repo need fixing as they have world execute bits without user or group > execute bits. > > Should this be enabled by default? It think so, but welcome discussion. I'm with you, but a couple of points to note: - Many admins won't be familiar with this problem and might not go as far as reading the periodic manpage for an explanation. Perhaps another paragraph could be emitted -- iff we have a hit -- that explains why periodic is checking the permissions. - ufs,zfs is hardcoded, can't we get this list from somewhere else? We support NFS exports of ext2fs filesystems, right? - Not a problem for sane setups, but somewhere out there is a machine where the resulting list might be several MB large. We currently don't restrict the periodic mail to a certain size, perhaps we should start doing this to avoid mailbox/mail system overflow? Regards, Uli