From owner-freebsd-hackers Fri Jun 29 0: 2:16 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D742937B409 for ; Fri, 29 Jun 2001 00:02:08 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f5T71p093546; Fri, 29 Jun 2001 10:01:51 +0300 (EEST) (envelope-from ru) Date: Fri, 29 Jun 2001 10:01:51 +0300 From: Ruslan Ermilov To: Dima Dorfman Cc: hackers@FreeBSD.org Subject: Re: ifmcstat(8) setgidness Message-ID: <20010629100151.C91115@sunbay.com> Mail-Followup-To: Dima Dorfman , hackers@FreeBSD.org References: <20010627120513.B14399@sunbay.com> <20010628012915.D2E1A3E2F@bazooka.unixfreak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010628012915.D2E1A3E2F@bazooka.unixfreak.org>; from dima@unixfreak.org on Wed, Jun 27, 2001 at 06:29:15PM -0700 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jun 27, 2001 at 06:29:15PM -0700, Dima Dorfman wrote: > Ruslan Ermilov writes: > > On Wed, Jun 27, 2001 at 01:29:28AM -0700, Dima Dorfman wrote: > > > Ruslan Ermilov writes: > > > > On Tue, Jun 26, 2001 at 03:04:07PM -0700, Dima Dorfman wrote: > > > > > Hi folks, > > > > > > > > > > Is there a particular reason, other than the desire for more setgid > > > > > programs, that ifmcstat(8) is setgid kmem? It seems that there's no > > > > > reason anyone but root would want to use it, anyway. OpenBSD and > > > > > NetBSD already nuked its setgid bit; any reason why we shouldn't > > > > > follow suit? > > > > > > > > > $ ifmcstat > > > > kvm_openfiles: Permission denied > > > > > > I don't follow. Yes, it needs access to kmem to work. However, I > > > don't see why anyone other than root would need to run it, so why is > > > it setgid? root can access kmem either way. > > > > > Could you please elaborate on why it should be restricted to root only? > > Because it looks like it doesn't provide any information that anyone > other than the administrator would find useful (if I'm seeing things, > please let me know), and the less setgid programs in the system the > better our overworked security officer(s) sleep at night :-). > Then why not make it installed with BINMODE=550 at least? > > OpenBSD's and NetBSD's commitlogs are too terse. > > This is quite an understatement! > I meant these particular logs. If you don't find these terse, my apologies: : revision 1.2 : date: 2001/06/23 00:50:33; author: deraadt; state: Exp; lines: +1 -1 : only root need apply : revision 1.2 : date: 2001/06/26 17:10:33; author: itojun; state: Exp; lines: +2 -2 : drop setgid. suggested by deraadt Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message