Date: Sat, 16 May 2020 11:26:11 -0500 From: Kyle Evans <kevans@freebsd.org> To: "Julian H. Stacey" <jhs@berklix.com> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: [HEADSUP] Disallowing read() of a directory fd Message-ID: <CACNAnaFapztQL3N4sWTv1-umh96xUeZPYUoQ3imX7fhCk5c0HA@mail.gmail.com> In-Reply-To: <202005161518.04GFIA0a099390@fire.js.berklix.net> References: <2ea8236f935a4c786a0f4f06ca1d3ea3@udns.ultimatedns.net> <202005161518.04GFIA0a099390@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 16, 2020 at 10:18 AM Julian H. Stacey <jhs@berklix.com> wrote: > > Another use of "cat ." is to see names of transient files a tool > creates, & normaly deletes, if not aborting, so one can find same > name junk elsewhere, & search for tool causing junk, > & ensure other data files avoid using names that would be zapped. > > While blocking "cat ." might be worked round if not in a jail, & > or if using fsdb & sysctl etc, it would add to a more BSD specific > environment, where standard portable Unix skills was insufficient, > & more time needed to search & learn BSD extras. Every obstacle > costs employers time = money. > This scenario is just a bit too generic for me to be able to relate to, because I've never been in a situation where I would've had to or just randomly used `cat .` to discover junk files. This also isn't really a transferable skill to other modern OS and filesystems, as oftentimes they won't or can't give you anything useful with read(2). That said, I've written a MAC policy that can live atop the current patch to lift all of the restrictions except the sysctl needing to be set: https://people.freebsd.org/~kevans/mac-read_dir.diff -> I could even be convinced fairly easily to commit it, if you'd find that acceptable. The policy ends up looking generically useful, as you can lift just the jail root restriction or you can allow any user to cat a directory. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFapztQL3N4sWTv1-umh96xUeZPYUoQ3imX7fhCk5c0HA>