From owner-cvs-all Fri Aug 11 12:36: 4 2000 Delivered-To: cvs-all@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id DF75137B683; Fri, 11 Aug 2000 12:35:51 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id NAA09871; Fri, 11 Aug 2000 13:35:50 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id NAA36773; Fri, 11 Aug 2000 13:35:19 -0600 (MDT) Message-Id: <200008111935.NAA36773@harmony.village.org> To: Christopher Masto Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Cc: "Chris D. Faulhaber" , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG In-reply-to: Your message of "Fri, 11 Aug 2000 15:23:18 EDT." <20000811152305.C12290@netmonger.net> References: <20000811152305.C12290@netmonger.net> <20000811144136.A12290@netmonger.net> <20000811141800.A14610@netmonger.net> <20000811144136.A12290@netmonger.net> <200008111857.MAA36439@harmony.village.org> Date: Fri, 11 Aug 2000 13:35:19 -0600 From: Warner Losh Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <20000811152305.C12290@netmonger.net> Christopher Masto writes: : Why not turn off setuid entirely by default? In fact, compile setuid : out of the kernel, and require people to install the kernel source and : build a custom kernel before setuid works at all. That would make : FreeBSD much more secure, which is of course more important than : being useful. Because setuid is and can be made to be secure. : In other words, what's so special about interpreted programs (written : in a language with a special setuid safety mode) that we should : not allow them to be setuid, but still allow it for compiled programs? The interpreter is known to have bugs. : There's nothing in the base system that requires ssh. There's nothing : in the base system that requires cc. There's nothing in the base : system that requires uucp, lpr, cal, or fpr. If the content of the : base system was truly determined by its relationship to other parts of : the base system, we wouldn't _have_ a base system. cc is reuiqred to buidl the system, which makes it a requirement. : The question is not whether some other piece of FreeBSD requires it - : it's whether the _users_ require it. That's true. : > It is a huge piece of software. Sure, the fix came quickly and : > didn't impact us this time, but what other bugs are there in this : > huge piece of code that will bite us in the future? : : The same could be said of /kernel, but I wouldn't suggest removing it. : : > This bug existed despite the multiple reviews of perl. : : Because it was really a bug in mail. No. The bug was in perl in that it invoked mail w/o sanitizing the environment. : If you don't have the time to fix the problem properly, you shouldn't : fix it. What you've done is removed a large piece of functionality in : a way that requires an extreme step (install all source and : buildworld) for the average user to get it back. Give me a break. It isn't that huge a requirement today with the disks that people have. However, turning off the suid bit, as others have suggested, fixes the problem nicely. : I will now make a constructive suggestion for an alternate "quick : fix". Build and install the binary for suidperl, but don't make it : setuid (or executable), and possibly stuck it somewhere under a : different name. Then people can at least put it back without having : to find room for /usr/src and time to run a buildworld. Finding room for /usr/src is a non-issue. However, since the fix of turning off the setuid bit is so easy to make, I'll just do that instead. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message