From owner-svn-src-all@freebsd.org Fri Sep 25 17:42:03 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E9DC83FDFE6; Fri, 25 Sep 2020 17:42:03 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ByfP70NbMz4J9f; Fri, 25 Sep 2020 17:42:02 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 08PHg03t051550; Fri, 25 Sep 2020 10:42:00 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 08PHg0nD051549; Fri, 25 Sep 2020 10:42:00 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <202009251742.08PHg0nD051549@gndrsh.dnsmgr.net> Subject: Re: svn commit: r365643 - head/bin/cp In-Reply-To: To: Warner Losh Date: Fri, 25 Sep 2020 10:42:00 -0700 (PDT) CC: Stefan Esser , "Rodney W. Grimes" , Kyle Evans , Alan Somers , Mateusz Guzik , src-committers , svn-src-all , svn-src-head Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 4ByfP70NbMz4J9f X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@gndrsh.dnsmgr.net has no SPF policy when checking 69.59.192.140) smtp.mailfrom=freebsd@gndrsh.dnsmgr.net X-Spamd-Result: default: False [-0.05 / 15.00]; HAS_REPLYTO(0.00)[rgrimes@freebsd.org]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_MEDIUM(-0.22)[-0.219]; NEURAL_HAM_LONG(-0.72)[-0.717]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_DOM_NEQ_FROM_DOM(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.01)[-0.010]; RCPT_COUNT_SEVEN(0.00)[9]; RCVD_TLS_LAST(0.00)[]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; MAILMAN_DEST(0.00)[svn-src-head,svn-src-all]; FREEMAIL_CC(0.00)[freebsd.org,gmail.com] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Sep 2020 17:42:04 -0000 > On Thu, Sep 24, 2020 at 12:41 AM Stefan Esser wrote: > > > Am 23.09.20 um 19:23 schrieb Warner Losh> But for this issue, we're not > > mounting devfs early enough. We should > > > fix that. Removing /dev/null from the boot process likely is never going > > > to happen because we use it all over the place to discard output... > > > There's ~200 instances of it in the boot rc scripts, so getting rid of > > > it there would also be quite the effort, with the same question. > > > > Removal of /dev/null from rc.d scripts should be quite simple, > > since most cases could just use ">-" (close file descriptor) > > instead. Other usage could be substituted with ":>" followed > > by chown. > > > > So closing fd1 and fd2 doesn't cause them to be available for these > programs to get as an fd on open, causing other issues? > > But >- isn't documented in sh(1) as doing the close thing. On a whim I did > the following: > $ echo fred >- > $ ls -last ./- > 4 -rw-r--r-- 1 imp imp 5 Sep 24 00:50 ./- > $ cat ./- > fred > $ > which suggests maybe you now have a lot of files named - instead... > > > > I'd be willing to generate patches for review, if there is any > > chance such a change might be accepted into -CURRENT. > > > > I could not find any use of /dev/zero, > > > Yea, I'd thought we used it in libc, but I can't find any evidence of that > with grep now that I've gone looking for it. For get that specific one :) > > > > but e.g. rc.d/syscons > > uses ${kbddev} (i.e. /dev/ttyv0) and rc.d/zvol performs swapon > > on /dev/zvol/${name}, rc.d/random uses /dev/random and so on. > > > > So those interactions should be disaled by rc variables... Or we should be > failing the operation... I believe there are several cases in the rc scripts of failure to fail, and I have experinced at least one that left a firewall wide open that I would of just rather had it fail and drop to single user. I have repeatedly heard the argument, "but you want it to continue so you can get into it" NO, not if that failure leads to a security risk. Most modern systems have out of band management so the story of "but you cant get to the system if it stops" no longer holds water with me. I have worked around these locally. > > > But those further references to /dev nodes will in general be > > NOPs if /dev is not available (some test for existence of the > > node they rely on, other just fail trying to access them, but > > without negative effect on going multi-user). > > > > Yea, that's more minor, but if /dev/ isn't there, they likely should fail, > or shouldn't proceed... But in a way that allows the rest of the rc scripts > to continue... This notion that "must boot at all cost" leads to security risks. > Warner -- Rod Grimes rgrimes@freebsd.org