From owner-freebsd-arch@freebsd.org Fri May 15 15:04:31 2020 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DEF242F7AA2; Fri, 15 May 2020 15:04:31 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "slim.berklix.org", Issuer "slim.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49NsBj1nRvz3xVf; Fri, 15 May 2020 15:04:28 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5DDB7209.dip0.t-ipconnect.de [93.219.114.9]) (authenticated bits=128) by slim.berklix.org (8.15.2/8.15.2) with ESMTPSA id 04FF4NXr065035 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 15 May 2020 17:04:27 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id 04FF4MZC098672; Fri, 15 May 2020 17:04:22 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id 04FF423p040952; Fri, 15 May 2020 17:04:12 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <202005151504.04FF423p040952@fire.js.berklix.net> To: "freebsd-arch@freebsd.org" , "freebsd-hackers@freebsd.org" Cc: Kyle Evans , Poul-Henning Kamp , Alan Somers , Arne Steinkamm Subject: Re: [HEADSUP] Disallowing read() of a directory fd From: "Julian H. Stacey" Organization: http://berklix.com/jhs http://stolenvotes.uk User-agent: EXMH on FreeBSD http://berklix.com/free/ X-From: http://www.berklix.org/~jhs/ In-reply-to: Your message "Fri, 15 May 2020 08:14:38 -0500." Date: Fri, 15 May 2020 17:04:02 +0200 X-Rspamd-Queue-Id: 49NsBj1nRvz3xVf X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jhs@berklix.com has no SPF policy when checking 94.185.90.68) smtp.mailfrom=jhs@berklix.com X-Spamd-Result: default: False [0.44 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.73)[-0.727,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[berklix.com]; AUTH_NA(1.00)[]; RCPT_COUNT_FIVE(0.00)[6]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.27)[0.273,0]; RCVD_IN_DNSWL_NONE(0.00)[68.90.185.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:33824, ipnet:94.185.88.0/22, country:DE]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(-0.00)[ip: (0.01), ipnet: 94.185.88.0/22(0.01), asn: 33824(-0.00), country: DE(-0.02)]; RECEIVED_SPAMHAUS_PBL(0.00)[9.114.219.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2020 15:04:31 -0000 Kyle Evans wrote: > On Fri, May 15, 2020 at 2:51 AM Poul-Henning Kamp wrote: > > > > -------- > > In message > > , Kyle Evans writes: > > >On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp wrote: > > > > >Can we explore the possibility of using fsdb(8) to fulfill these needs > > >in a way that you'd be comfortable with? > >> > > Summary: I'm perfectly fine with read(2) returning error on a > > directory *under normal circumstances*, and I think it makes good > > sense by protecting a lot of terminals from a lot of binary > > garbage. > > > > But there is absolutely no reason to make it *impossible* for > > a competent root to do what competent roots do. > > > > First, apologies if my previous message had offended you -- I didn't > mean for this, but as you can tell I was not well-equipped to discuss > the possibilities with a seasoned veteran such as yourself. > > I've prepared a patch locally to update the review that both hides it > off behind security.bsd.allow_read_dir (default off) and restricts it > to a new PRIV_VFS_READ_DIR that *is not* granted to jailed root. I No. Root is Root regardless if in a jail or not. A root admin of a server in a jail needs full power without waiting days to contact other root human who owns the prison, without wasting human time of jail owner & prison owner formulating email request & considering & enabling requirement. kevans@ wasted FreeBSD time with threat of change at 2 days notice, for an issue unchanged since 1972. The rush was immature. kevans@ should retract his threat of forced urgent change, or expect core@ be asked to remove his commit bit while FreeBSD considers _un-rushed_, allowing sufficient time for all to consider options, & to warn users in RELNOTES of any potential future change. > know we've already discussed this to some extent, but can you confirm > that these restrictions are reasonable and acceptable for you? I've > tentatively placed it in the security.bsd.* namespace because it can > and has had security implications, but I'm certainly not dead-set on > it staying there. > > Thanks, > > Kyle Evans > Cheers -- Julian Stacey, Consultant Systems Engineer, BSD Linux http://berklix.com/jhs/ http://www.berklix.org/corona/#masks Tie 2 handkerchiefs or 1 pillow case. Jobs & economy hit by Corona to be hit again by Crash Brexit 31st Dec. 2020