From owner-cvs-all  Tue Apr 23  8:41:11 2002
Delivered-To: cvs-all@freebsd.org
Received: from espresso.q9media.com (espresso.q9media.com [216.254.138.122])
	by hub.freebsd.org (Postfix) with ESMTP
	id 741F137B405; Tue, 23 Apr 2002 08:41:05 -0700 (PDT)
Received: (from mike@localhost)
	by espresso.q9media.com (8.11.6/8.11.6) id g3NFeqP28576;
	Tue, 23 Apr 2002 11:40:52 -0400 (EDT)
	(envelope-from mike)
Date: Tue, 23 Apr 2002 11:40:52 -0400
From: Mike Barcroft <mike@FreeBSD.org>
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Garrett Wollman <wollman@lcs.mit.edu>,
	"M. Warner Losh" <imp@village.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys filedesc.h
Message-ID: <20020423114052.F72727@espresso.q9media.com>
References: <20020422160742.B8421@espresso.q9media.com> <78396.1019545495@critter.freebsd.dk> <20020423104722.D72727@espresso.q9media.com> <20020423152003.GB28750@madman.nectar.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020423152003.GB28750@madman.nectar.cc>; from nectar@FreeBSD.org on Tue, Apr 23, 2002 at 10:20:03AM -0500
Organization: The FreeBSD Project
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

Jacques A. Vidrine <nectar@FreeBSD.org> writes:
> I prefer
> 
>    do {
>        fd = open("/dev/null", O_RDWR);
>        if (fd < 0)
>            exit(1);
>    } while (fd < 3);
>    close(fd);
> 
> but I've already added that to all setuid executables that will ever
> run on FreeBSD -- even if they haven't been invented yet.

Yes, at the cost of breaking conforming applications -- even if they
haven't been invented yet.  I don't have any objections to your hack
being left in place until the base system can be audited or even in
the long term if its made into a kernel option.

> See bugtraq Message-ID: <20020422222822.A27144@outpost.ds9a.nl> for a
> different point of view.  (We seem to be one of the few unices left
> that didn't already do this.)

It's interesting to note that the only UNIX-branded system on the list
is "Vulnerable".  I'll be interested to see what solution Sun
provides, if any.
 
Best regards,
Mike Barcroft

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message