From owner-freebsd-ports@FreeBSD.ORG  Tue Jul  8 18:39:44 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id ADFC5C4A;
 Tue,  8 Jul 2014 18:39:44 +0000 (UTC)
Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173])
 by mx1.freebsd.org (Postfix) with ESMTP id 860732285;
 Tue,  8 Jul 2014 18:39:44 +0000 (UTC)
Received: by be-well.ilk.org (Postfix, from userid 1147)
 id ED98B33C48; Tue,  8 Jul 2014 14:31:02 -0400 (EDT)
From: Lowell Gilbert <freebsd-ports-local@be-well.ilk.org>
To: Kevin Oberman <rkoberman@gmail.com>
Subject: Re: Gnome negative group permissions
References: <201407071824.s67IOXer057353@mech-cluster241.men.bris.ac.uk>
 <CAN6yY1uyePJTmdEoWbgreZ1zarsCfMFq10hZdEaNr8PgyRuaaw@mail.gmail.com>
Reply-To: FreeBSD Ports ML <freebsd-ports@freebsd.org>
Date: Tue, 08 Jul 2014 14:31:02 -0400
In-Reply-To: <CAN6yY1uyePJTmdEoWbgreZ1zarsCfMFq10hZdEaNr8PgyRuaaw@mail.gmail.com>
 (Kevin Oberman's message of "Tue, 8 Jul 2014 10:01:53 -0700")
Message-ID: <44ha2rity1.fsf@be-well.ilk.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain
Cc: mexas@bris.ac.uk, Brooks Davis <brooks@freebsd.org>,
 FreeBSD Ports ML <freebsd-ports@freebsd.org>
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 18:39:44 -0000

Kevin Oberman <rkoberman@gmail.com> writes:

> It's just that there are cases where negative group permissions are
> intended and this is such a case. If you don't want to see them, add
> "daily_status_security_neggrpperm_enable="NO"  to /etc/periodic.conf.

I added a hack to work around this without disabling the check
completely. Anything wrong with something of this sort?


--- /etc/periodic/security/110.neggrpperm	2014-07-08 14:12:31.000000000 -0400
+++ /usr/src/etc/periodic/security/110.neggrpperm	2014-06-03 19:49:13.000000000 -0400
@@ -37,26 +37,18 @@
 
 security_daily_compat_var security_status_neggrpperm_enable
 
-
 rc=0
 
 if check_yesno_period security_status_neggrpperm_enable
 then
 	echo ""
 	echo 'Checking negative group permissions:'
-
-	if [ -z ${security_neggrperm_ignore} ] ; then
-	    echo security_neggrperm_ignore not set
-	    security_neggrperm_ignore="/nonexistent"
-	fi
-
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
 	n=$(find -sx $MP /dev/null -type f \
 	    \( \( ! -perm +010 -and -perm +001 \) -or \
 	    \( ! -perm +020 -and -perm +002 \) -or \
 	    \( ! -perm +040 -and -perm +004 \) \) \
-	    -exec ls -liTd \{\} \+ | grep -v "${security_neggrperm_ignore}" | \
-	    tee /dev/stderr | wc -l)
+	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0
 fi