From owner-cvs-all Wed Jul 26 11:33:17 2000 Delivered-To: cvs-all@freebsd.org Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.242]) by hub.freebsd.org (Postfix) with ESMTP id 39D8137B982; Wed, 26 Jul 2000 11:33:12 -0700 (PDT) (envelope-from marcel@cup.hp.com) Received: from adlmail.cup.hp.com (adlmail.cup.hp.com [15.0.100.30]) by palrel1.hp.com (Postfix) with ESMTP id AD140230D; Wed, 26 Jul 2000 11:10:49 -0700 (PDT) Received: from cup.hp.com (gauss.cup.hp.com [15.28.97.152]) by adlmail.cup.hp.com (8.9.3 (PHNE_18979)/8.9.3 SMKit7.02) with ESMTP id LAA22916; Wed, 26 Jul 2000 11:10:06 -0700 (PDT) Message-ID: <397F297E.2E7D6C37@cup.hp.com> Date: Wed, 26 Jul 2000 11:10:06 -0700 From: Marcel Moolenaar Organization: Hewlett-Packard X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Warner Losh Cc: "Andrey A. Chernov" , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc Makefile src/include Makefile src/release Makefile src/release/picobsd/build Makefile.mfs src/release/picobsd/custom Makefile.mfs src/release/picobsd/dial Makefile.mfs src/release/picobsd/install Makefile.mfs References: <20000726211733.B50294@nagual.pp.ru> <200007252213.PAA34677@netplex.com.au> <10733.964597601@localhost> <200007261456.IAA11238@nomad.yogotech.com> <20000726125721.Z51462@jade.chc-chimes.com> <200007261659.KAA11807@nomad.yogotech.com> <397F1B6F.46320037@cup.hp.com> <200007261738.LAA30792@harmony.village.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Warner Losh wrote: > > [[ CCs trimmed ]] > > In message <20000726211733.B50294@nagual.pp.ru> "Andrey A. Chernov" writes: > : On Wed, Jul 26, 2000 at 10:10:07AM -0700, Marcel Moolenaar wrote: > : > The question I have is why do we then want to change mtree back to the > : > "insecure" behaviour? > : > : I already answer this once. Mtree _as_application_ is just userland > : program and can't be secure or insecure. It must act how it was originally > : designed to make less confuse to users which know this application. And > : it was designed with defaults to PHYSICAL. > : > : Since we use this application to create system directories, which _is_ > : security issue, I add -L to handle that case. > > Yes. mtree should be PHYSICAL. That's what BSD traditionally does > and that's what the other BSDs still do. It would be a security issue > to have it do something different by default, despite FreeBSD's larger > install base. I'm not disagreeing; I'm just playing devils advocate. People are using security in ambiguous ways, IMO. > Second problem is the one Peter and others have raised. Namely that > if you have sybolic links for your sys tree, which is fully supported, > then the files that you used to own will become owned by root when > you do the installworld. Which is a security issue as well, right? > The one area that Andrey and I don't agree on at the moment is if it > should be on by default or off by default. I guess the first person > to find time to implement it will get to choose :-). I think the mtree default should be good enough for the build process. > Maybe this issue needs to be addressed in a more creative way. If we > were to update /etc/security to warn of these insecure directories, > then we could easily have -L off and the system admin would know, via > the handbook docs that we could write, to run mtree -L once to fix the > problems. I can remember, fuzzy though, that my OS at that time, NetBSD IIRC, had exactly that. It did a daily scan over the disk to report any mismatches on MODs and ownership. I don't know the details anymore and am probably mistaken... It sounds like a good solution with a general function, though. -- Marcel Moolenaar mail: marcel@cup.hp.com / marcel@FreeBSD.org tel: (408) 447-4222 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message