From owner-freebsd-current@FreeBSD.ORG Tue Feb 24 23:36:22 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15F0D16A4CE; Tue, 24 Feb 2004 23:36:22 -0800 (PST) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6329D43D1D; Tue, 24 Feb 2004 23:36:21 -0800 (PST) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1AvtaH-0007DM-00; Wed, 25 Feb 2004 09:35:57 +0200 To: Andrey Chernov , kientzle@acm.org, Colin Percival , David Schultz , freebsd-current@FreeBSD.ORG From: Ian Freislich In-Reply-To: Message from Andrey Chernov <20040225000702.GC32548@nagual.pp.ru> Date: Wed, 25 Feb 2004 09:35:57 +0200 Sender: ianf@hetzner.co.za Message-Id: Subject: Re: What to do about nologin(8)? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 07:36:22 -0000 > On Tue, Feb 24, 2004 at 03:56:44PM -0800, Tim Kientzle wrote: > > >>(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH. > > > > > > Wearing my member-of-security-team hat, I have to say I'm rather > > >unhappy with this idea. It's also been pointed out (by nectar) that > > >there are issues with NFS if files are owned by nobody or nogroup. > > This idea is comes from very narrow vision. What to do, say, with > dynamically linked /usr/local/bin/bash? Whole "nologin" story starts Interestingly /usr/local/bin/bash is statically linked by default. Well, the bash2 port is at least. [ian] ~ $ ldd /usr/local/bin/bash ldd: /usr/local/bin/bash: not a dynamic executable Ian -- Ian Freislich