Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Jul 2000 11:38:06 -0600
From:      Warner Losh <imp@village.org>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc Makefile src/include Makefile src/release Makefile src/release/picobsd/build Makefile.mfs src/release/picobsd/custom Makefile.mfs src/release/picobsd/dial Makefile.mfs src/release/picobsd/install Makefile.mfs 
Message-ID:  <200007261738.LAA30792@harmony.village.org>
In-Reply-To: Your message of "Wed, 26 Jul 2000 21:17:34 %2B0400." <20000726211733.B50294@nagual.pp.ru> 
References:  <20000726211733.B50294@nagual.pp.ru>  <200007252213.PAA34677@netplex.com.au> <10733.964597601@localhost> <200007261456.IAA11238@nomad.yogotech.com> <20000726125721.Z51462@jade.chc-chimes.com> <200007261659.KAA11807@nomad.yogotech.com> <397F1B6F.46320037@cup.hp.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
[[ CCs trimmed ]]

In message <20000726211733.B50294@nagual.pp.ru> "Andrey A. Chernov" writes:
: On Wed, Jul 26, 2000 at 10:10:07AM -0700, Marcel Moolenaar wrote:
: > The question I have is why do we then want to change mtree back to the
: > "insecure" behaviour?
: 
: I already answer this once. Mtree _as_application_ is just userland
: program and can't be secure or insecure. It must act how it was originally
: designed to make less confuse to users which know this application. And
: it was designed with defaults to PHYSICAL.
: 
: Since we use this application to create system directories, which _is_
: security issue, I add -L to handle that case.

Yes.  mtree should be PHYSICAL.  That's what BSD traditionally does
and that's what the other BSDs still do.  It would be a security issue
to have it do something different by default, despite FreeBSD's larger
install base.

The case for the build is less clear.  We have two problems.  First
problem is that of the symbolic links for critical system directories
(those in / and /var).  If you have a symbolic link, you might setup
the linked to directory improperly and the ned make installworld right
now will fix it for you.  However, once fixed, these directories will
remain fixed until the sysadmin does something to the directory.  Or
maybe the sysadmin knows what he's doing better than FreeBSD.  So we
need a way to turn this on/off.  I have proposed a knob in
/etc/make.conf to do this, which people seem to be ignoring.

Second problem is the one Peter and others have raised.  Namely that
if you have sybolic links for your sys tree, which is fully supported,
then the files that you used to own will become owned by root when
you do the installworld.  This again argues for a knob that will turn
this on/off for people that need it.

The one area that Andrey and I don't agree on at the moment is if it
should be on by default or off by default.  I guess the first person
to find time to implement it will get to choose :-).

Maybe this issue needs to be addressed in a more creative way.  If we
were to update /etc/security to warn of these insecure directories,
then we could easily have -L off and the system admin would know, via
the handbook docs that we could write, to run mtree -L once to fix the
problems.  Since the directories stay fixed once fixed, absenst enemy
action, this might be a good solution.  Also, we might put something
in the buildworld process that checks at the end so that people would
know if they had a problem right away.

Warner



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007261738.LAA30792>