Date: Thu, 25 Apr 2002 13:30:50 +0300 From: Peter Pentchev <roam@ringlet.net> To: Jason DiCioccio <jd@bluenugget.net> Cc: freebsd-arch@freebsd.org Subject: Re: Fwd: NOSUID and NOSUID_prog make knobs Message-ID: <20020425133050.B360@straylight.oblivion.bg> In-Reply-To: <0F346F4F-580D-11D6-8E6E-00039390808C@bluenugget.net>; from jd@bluenugget.net on Wed, Apr 24, 2002 at 10:26:56PM -0700 References: <0F346F4F-580D-11D6-8E6E-00039390808C@bluenugget.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--98e8jtXdkpgskNou
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Apr 24, 2002 at 10:26:56PM -0700, Jason DiCioccio wrote:
> On Wednesday, April 24, 2002, at 08:17 PM, Johan Karlsson wrote:
> > On Wed, Apr 24, 2002 at 19:17 (-0700) +0000, David O'Brien wrote:
> >>
> >> Either do them all, or none. This flag per binary does not scale, nor=
=20
> >> do
> >> I see any significant portion of our userbase utilizing the=20
> >> granularity.
> >
> > In the discussion on -security I got the impression that the
> > granularity is wanted.
> >
> > There are currently 29 suid and 14 sgid bits set it Makefile:s
> > that would be effected by this.
> > Some of them make sence to group togather e.g. lpr, ping, etc
> >
> > I think it just makes more sence to provide all of them
> > (some grouped) than to only have 1 knob for all of them.
> >
> > /Johan K
> >
> Granularity is wanted, at least by me and others I have spoken to. I=20
> don't know if it is best to clutter make.conf or if there is a better=20
> place, or a new place, that these knobs could be placed. However, if=20
> you're going to provide the flexibility I would think you should go all=
=20
> the way with it. Perhaps provide some canned sets, and/or the ability=20
> to make 'groups' of binaries in the configuration but there definitely=20
> has to be the ability to configure it to the level of individual=20
> binaries.
>=20
> IMHO :)
I agree that granularity would be a good thing; how about something else
though, something like the following:
NOSUID_LIST=3D passwd chsh chfn
=2E.and then, in usr.bin/passwd/Makefile..
=2Eif "${NOSUID_LIST:Mpasswd}" =3D=3D ""
BINMODE=3D 4555
=2Eendif
Alternatively, the NOSUID_LIST may be turned into SUID_LIST, but that
might pose problems with its default value.
G'luck,
Peter
--=20
Peter Pentchev roam@ringlet.net roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
If this sentence didn't exist, somebody would have invented it.
--98e8jtXdkpgskNou
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjzH2tkACgkQ7Ri2jRYZRVOdHQCeKlieGJ94eGX+WZQZKVQS/ntM
emUAn0a+uhTkTAdyLgAAiNZbjDvpKa5o
=s4bt
-----END PGP SIGNATURE-----
--98e8jtXdkpgskNou--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020425133050.B360>