From owner-cvs-all  Sun Nov  5 10:12:29 2000
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4761837B479; Sun,  5 Nov 2000 10:12:23 -0800 (PST)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA79039;
	Sun, 5 Nov 2000 13:12:20 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 5 Nov 2000 13:12:19 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Don Lewis <Don.Lewis@tsc.tdk.com>
Cc: "Brian F. Feldman" <green@FreeBSD.org>,
	Don Lewis <truckman@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc MAKEDEV src/release Makefile
In-Reply-To: <200011051757.JAA21013@salsa.gv.tsc.tdk.com>
Message-ID: <Pine.NEB.3.96L.1001105131032.43654X-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Sun, 5 Nov 2000, Don Lewis wrote:

> } You have to be careful about including "mnt2" in any path: the /mnt*
> } directories are used for a variety of purposes, and there are no
> } guarantees about ownership.  Having MAKENOD add /mnt* to the path may
> } introduce security problems if the media mounted is untrusted or has
> } permissions allowing non-privileged users to make changes to its stand
> } subtree.  I.e., this path assumes that only trusted FreeBSD install media
> } is ever mounted on /mnt2, which is false.  As such I'd strongly object to
> } adding mnt2 to the MAKEDEV path.
> 
> MAKEDEV already has a hook to change the PATH, $MAKEDEVPATH.  If this
> variable is not set, then MAKEDEV just hardwired PATH to /sbin:/bin (or
> it did until my previous change).  There was never any code in the tree
> that set MAKEDEVPATH.  I'm preparing to commit a change to sysinstall
> that will set MAKEDEVPATH to include the /mnt2 stuff before it kicks off
> the fixit floppy. 
> 
> With this fix, MAKEDEV won't normally have /mnt2 in it's path, it will
> only be there when run from fixit.  In any case, putting /mnt2 at the

Ok, sounds good to me--I thought this was the general case and not just
the repair floppy case, in which I agree this is fine.

> end of the path would be safe, because all the binaries that MAKEDEV
> will run will be found in /sbin and /bin which come first, unless
> someone has deleted them ... 

It's a fail-closed thing: if the admin hoses a couple of entries in /sbin
or /bin, then users with the ability to write to /mnt2 should not be able
to leverage privilege in the default system.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message