From owner-freebsd-hackers  Wed Jun 27 18:29:18 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP
	id 25D0B37B403; Wed, 27 Jun 2001 18:29:16 -0700 (PDT)
	(envelope-from dima@unixfreak.org)
Received: from hornet.unixfreak.org (hornet [63.198.170.140])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id D2E1A3E2F; Wed, 27 Jun 2001 18:29:15 -0700 (PDT)
To: hackers@FreeBSD.org, ru@FreeBSD.org
Subject: Re: ifmcstat(8) setgidness 
In-Reply-To: <20010627120513.B14399@sunbay.com>; from ru@FreeBSD.org on "Wed, 27 Jun 2001 12:05:13 +0300"
Date: Wed, 27 Jun 2001 18:29:15 -0700
From: Dima Dorfman <dima@unixfreak.org>
Message-Id: <20010628012915.D2E1A3E2F@bazooka.unixfreak.org>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Ruslan Ermilov <ru@FreeBSD.org> writes:
> On Wed, Jun 27, 2001 at 01:29:28AM -0700, Dima Dorfman wrote:
> > Ruslan Ermilov <ru@FreeBSD.ORG> writes:
> > > On Tue, Jun 26, 2001 at 03:04:07PM -0700, Dima Dorfman wrote:
> > > > Hi folks,
> > > > 
> > > > Is there a particular reason, other than the desire for more setgid
> > > > programs, that ifmcstat(8) is setgid kmem?  It seems that there's no
> > > > reason anyone but root would want to use it, anyway.  OpenBSD and
> > > > NetBSD already nuked its setgid bit; any reason why we shouldn't
> > > > follow suit?
> > > > 
> > > $ ifmcstat
> > > kvm_openfiles: Permission denied
> > 
> > I don't follow.  Yes, it needs access to kmem to work.  However, I
> > don't see why anyone other than root would need to run it, so why is
> > it setgid?  root can access kmem either way.
> > 
> Could you please elaborate on why it should be restricted to root only?

Because it looks like it doesn't provide any information that anyone
other than the administrator would find useful (if I'm seeing things,
please let me know), and the less setgid programs in the system the
better our overworked security officer(s) sleep at night :-).

> OpenBSD's and NetBSD's commitlogs are too terse.

This is quite an understatement!

					Dima Dorfman
					dima@unixfreak.org

> 
> 
> Cheers,
> -- 
> Ruslan Ermilov		Oracle Developer/DBA,
> ru@sunbay.com		Sunbay Software AG,
> ru@FreeBSD.org		FreeBSD committer,
> +380.652.512.251	Simferopol, Ukraine
> 
> http://www.FreeBSD.org	The Power To Serve
> http://www.oracle.com	Enabling The Information Age
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message