Date: Fri, 29 Jun 2001 10:01:51 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Dima Dorfman <dima@unixfreak.org> Cc: hackers@FreeBSD.org Subject: Re: ifmcstat(8) setgidness Message-ID: <20010629100151.C91115@sunbay.com> In-Reply-To: <20010628012915.D2E1A3E2F@bazooka.unixfreak.org>; from dima@unixfreak.org on Wed, Jun 27, 2001 at 06:29:15PM -0700 References: <20010627120513.B14399@sunbay.com> <20010628012915.D2E1A3E2F@bazooka.unixfreak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 27, 2001 at 06:29:15PM -0700, Dima Dorfman wrote: > Ruslan Ermilov <ru@FreeBSD.org> writes: > > On Wed, Jun 27, 2001 at 01:29:28AM -0700, Dima Dorfman wrote: > > > Ruslan Ermilov <ru@FreeBSD.ORG> writes: > > > > On Tue, Jun 26, 2001 at 03:04:07PM -0700, Dima Dorfman wrote: > > > > > Hi folks, > > > > > > > > > > Is there a particular reason, other than the desire for more setgid > > > > > programs, that ifmcstat(8) is setgid kmem? It seems that there's no > > > > > reason anyone but root would want to use it, anyway. OpenBSD and > > > > > NetBSD already nuked its setgid bit; any reason why we shouldn't > > > > > follow suit? > > > > > > > > > $ ifmcstat > > > > kvm_openfiles: Permission denied > > > > > > I don't follow. Yes, it needs access to kmem to work. However, I > > > don't see why anyone other than root would need to run it, so why is > > > it setgid? root can access kmem either way. > > > > > Could you please elaborate on why it should be restricted to root only? > > Because it looks like it doesn't provide any information that anyone > other than the administrator would find useful (if I'm seeing things, > please let me know), and the less setgid programs in the system the > better our overworked security officer(s) sleep at night :-). > Then why not make it installed with BINMODE=550 at least? > > OpenBSD's and NetBSD's commitlogs are too terse. > > This is quite an understatement! > I meant these particular logs. If you don't find these terse, my apologies: : revision 1.2 : date: 2001/06/23 00:50:33; author: deraadt; state: Exp; lines: +1 -1 : only root need apply : revision 1.2 : date: 2001/06/26 17:10:33; author: itojun; state: Exp; lines: +2 -2 : drop setgid. suggested by deraadt Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010629100151.C91115>