From owner-freebsd-arch Thu Apr 25 3:31:23 2002 Delivered-To: freebsd-arch@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 979E437B416 for ; Thu, 25 Apr 2002 03:31:15 -0700 (PDT) Received: (qmail 12005 invoked from network); 25 Apr 2002 10:37:00 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 25 Apr 2002 10:37:00 -0000 Received: (qmail 9459 invoked by uid 1000); 25 Apr 2002 10:30:50 -0000 Date: Thu, 25 Apr 2002 13:30:50 +0300 From: Peter Pentchev To: Jason DiCioccio Cc: freebsd-arch@freebsd.org Subject: Re: Fwd: NOSUID and NOSUID_prog make knobs Message-ID: <20020425133050.B360@straylight.oblivion.bg> Mail-Followup-To: Jason DiCioccio , freebsd-arch@freebsd.org References: <0F346F4F-580D-11D6-8E6E-00039390808C@bluenugget.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="98e8jtXdkpgskNou" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <0F346F4F-580D-11D6-8E6E-00039390808C@bluenugget.net>; from jd@bluenugget.net on Wed, Apr 24, 2002 at 10:26:56PM -0700 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 24, 2002 at 10:26:56PM -0700, Jason DiCioccio wrote: > On Wednesday, April 24, 2002, at 08:17 PM, Johan Karlsson wrote: > > On Wed, Apr 24, 2002 at 19:17 (-0700) +0000, David O'Brien wrote: > >> > >> Either do them all, or none. This flag per binary does not scale, nor= =20 > >> do > >> I see any significant portion of our userbase utilizing the=20 > >> granularity. > > > > In the discussion on -security I got the impression that the > > granularity is wanted. > > > > There are currently 29 suid and 14 sgid bits set it Makefile:s > > that would be effected by this. > > Some of them make sence to group togather e.g. lpr, ping, etc > > > > I think it just makes more sence to provide all of them > > (some grouped) than to only have 1 knob for all of them. > > > > /Johan K > > > Granularity is wanted, at least by me and others I have spoken to. I=20 > don't know if it is best to clutter make.conf or if there is a better=20 > place, or a new place, that these knobs could be placed. However, if=20 > you're going to provide the flexibility I would think you should go all= =20 > the way with it. Perhaps provide some canned sets, and/or the ability=20 > to make 'groups' of binaries in the configuration but there definitely=20 > has to be the ability to configure it to the level of individual=20 > binaries. >=20 > IMHO :) I agree that granularity would be a good thing; how about something else though, something like the following: NOSUID_LIST=3D passwd chsh chfn =2E.and then, in usr.bin/passwd/Makefile.. =2Eif "${NOSUID_LIST:Mpasswd}" =3D=3D "" BINMODE=3D 4555 =2Eendif Alternatively, the NOSUID_LIST may be turned into SUID_LIST, but that might pose problems with its default value. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence didn't exist, somebody would have invented it. --98e8jtXdkpgskNou Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzH2tkACgkQ7Ri2jRYZRVOdHQCeKlieGJ94eGX+WZQZKVQS/ntM emUAn0a+uhTkTAdyLgAAiNZbjDvpKa5o =s4bt -----END PGP SIGNATURE----- --98e8jtXdkpgskNou-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message