From owner-cvs-all Wed Jul 26 10:38:33 2000 Delivered-To: cvs-all@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id D50DD37BF6B; Wed, 26 Jul 2000 10:38:10 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id LAA32268; Wed, 26 Jul 2000 11:38:08 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA30792; Wed, 26 Jul 2000 11:38:06 -0600 (MDT) Message-Id: <200007261738.LAA30792@harmony.village.org> To: "Andrey A. Chernov" Subject: Re: cvs commit: src/etc Makefile src/include Makefile src/release Makefile src/release/picobsd/build Makefile.mfs src/release/picobsd/custom Makefile.mfs src/release/picobsd/dial Makefile.mfs src/release/picobsd/install Makefile.mfs Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org In-reply-to: Your message of "Wed, 26 Jul 2000 21:17:34 +0400." <20000726211733.B50294@nagual.pp.ru> References: <20000726211733.B50294@nagual.pp.ru> <200007252213.PAA34677@netplex.com.au> <10733.964597601@localhost> <200007261456.IAA11238@nomad.yogotech.com> <20000726125721.Z51462@jade.chc-chimes.com> <200007261659.KAA11807@nomad.yogotech.com> <397F1B6F.46320037@cup.hp.com> Date: Wed, 26 Jul 2000 11:38:06 -0600 From: Warner Losh Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [[ CCs trimmed ]] In message <20000726211733.B50294@nagual.pp.ru> "Andrey A. Chernov" writes: : On Wed, Jul 26, 2000 at 10:10:07AM -0700, Marcel Moolenaar wrote: : > The question I have is why do we then want to change mtree back to the : > "insecure" behaviour? : : I already answer this once. Mtree _as_application_ is just userland : program and can't be secure or insecure. It must act how it was originally : designed to make less confuse to users which know this application. And : it was designed with defaults to PHYSICAL. : : Since we use this application to create system directories, which _is_ : security issue, I add -L to handle that case. Yes. mtree should be PHYSICAL. That's what BSD traditionally does and that's what the other BSDs still do. It would be a security issue to have it do something different by default, despite FreeBSD's larger install base. The case for the build is less clear. We have two problems. First problem is that of the symbolic links for critical system directories (those in / and /var). If you have a symbolic link, you might setup the linked to directory improperly and the ned make installworld right now will fix it for you. However, once fixed, these directories will remain fixed until the sysadmin does something to the directory. Or maybe the sysadmin knows what he's doing better than FreeBSD. So we need a way to turn this on/off. I have proposed a knob in /etc/make.conf to do this, which people seem to be ignoring. Second problem is the one Peter and others have raised. Namely that if you have sybolic links for your sys tree, which is fully supported, then the files that you used to own will become owned by root when you do the installworld. This again argues for a knob that will turn this on/off for people that need it. The one area that Andrey and I don't agree on at the moment is if it should be on by default or off by default. I guess the first person to find time to implement it will get to choose :-). Maybe this issue needs to be addressed in a more creative way. If we were to update /etc/security to warn of these insecure directories, then we could easily have -L off and the system admin would know, via the handbook docs that we could write, to run mtree -L once to fix the problems. Since the directories stay fixed once fixed, absenst enemy action, this might be a good solution. Also, we might put something in the buildworld process that checks at the end so that people would know if they had a problem right away. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message