From owner-freebsd-current@FreeBSD.ORG  Wed Feb 25 01:57:42 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id CE0AF16A4CE; Wed, 25 Feb 2004 01:57:42 -0800 (PST)
Received: from smtp2.su.se (smtp2.su.se [130.237.93.212])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 13B9E43D1D; Wed, 25 Feb 2004 01:57:42 -0800 (PST)
	(envelope-from rnyberg@it.su.se)
Received: from localhost (smtp2.su.se [127.0.0.1])
	by smtp2.su.se (Postfix) with ESMTP
	id 8F54F2000CF; Wed, 25 Feb 2004 10:57:40 +0100 (CET)
Received: from smtp2.su.se ([127.0.0.1])
 by localhost (smtp2.su.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
 id 19514-01; Wed, 25 Feb 2004 10:57:40 +0100 (CET)
Received: from murmeldjur.it.su.se (murmeldjur.it.su.se [130.237.95.79])
	by smtp2.su.se (Postfix) with ESMTP
	id 6767E200095; Wed, 25 Feb 2004 10:57:40 +0100 (CET)
Received: from murmeldjur.it.su.se (localhost [127.0.0.1])
	by murmeldjur.it.su.se (8.12.10/8.12.10) with ESMTP id i1P9vcYN000775;
	Wed, 25 Feb 2004 10:57:39 +0100 (CET)
	(envelope-from rnyberg@it.su.se)
Date: Wed, 25 Feb 2004 10:57:38 +0100
Message-ID: <m1ishviir1.wl@murmeldjur.it.su.se>
From: Richard Nyberg <rnyberg@it.su.se>
To: Ian Freislich <if@hetzner.co.za>
In-Reply-To: <E1AvtaH-0007DM-00@hetzner.co.za>
References: <ache@nagual.pp.ru>
	<20040225000702.GC32548@nagual.pp.ru>
	<E1AvtaH-0007DM-00@hetzner.co.za>
User-Agent: Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.5 (Awara-Onsen)
	FLIM/1.14.5 (Demachiyanagi) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0
	(SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen")
Content-Type: text/plain; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at su.se
cc: Andrey Chernov <ache@nagual.pp.ru>
cc: David Schultz <das@FreeBSD.ORG>
cc: freebsd-current@FreeBSD.ORG
cc: Colin Percival <colin.percival@wadham.ox.ac.uk>
cc: kientzle@acm.org
Subject: Re: What to do about nologin(8)? 
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2004 09:57:43 -0000

At Wed, 25 Feb 2004 09:35:57 +0200,
Ian Freislich wrote:
> 
> > On Tue, Feb 24, 2004 at 03:56:44PM -0800, Tim Kientzle wrote:
> > > >>(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH.
> > > >
> > > >  Wearing my member-of-security-team hat, I have to say I'm rather
> > > >unhappy with this idea.  It's also been pointed out (by nectar) that
> > > >there are issues with NFS if files are owned by nobody or nogroup.
> > 
> > This idea is comes from very narrow vision. What to do, say, with 
> > dynamically linked /usr/local/bin/bash? Whole "nologin" story starts 
> 
> Interestingly /usr/local/bin/bash is statically linked by default.
> Well, the bash2 port is at least.
> 
> [ian] ~ $ ldd /usr/local/bin/bash
> ldd: /usr/local/bin/bash: not a dynamic executable
> 
FYI: that has recently changed.

        -Richard