Date: Thu, 25 Mar 2004 08:50:18 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-arch@FreeBSD.org Subject: Re: SUIDDIR -> security.bsd.suiddir_enable. Message-ID: <Pine.NEB.3.96L.1040325084920.52837E-100000@fledge.watson.org> In-Reply-To: <20040325123554.GZ8930@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Mar 2004, Pawel Jakub Dawidek wrote: > On Thu, Mar 25, 2004 at 11:06:38PM +1100, Bruce Evans wrote: > +> On Thu, 25 Mar 2004, Pawel Jakub Dawidek wrote: > +> > +> > Any objection on such exchange? > +> > > +> > In p4 pjd_suiddir branch I've a code that replace SUIDDIR kernel option > +> > with sysctl security.bsd.suiddir_enable sysctl with is turned off by > +> > default. SUIDDIR option is not removed, but it means now: turn on suiddir > +> > functionality by default. > +> > +> Using SUIDDIR is controlled by the MNT_SUIDDIR mount option, so there > +> shouldn't be another knob to control it. If there is a security problem > +> using MNT_SUIDDIR, then MNT_SUIDDIR should be disallowed up front so > +> that that all the places that implement SUIDDIR don't have to test > +> both knobs. > > First of all this adds 0 overhead. And I think there is a need for > additional level of security for such functionality, but I see no reason > to force people to recompile kernel. Actually, I think what Bruce is actually saying is that the MNT_SUIDDIR mount option should be sufficient without a sysctl, if we really think suiddir is safe to use, rather than offering a global disable off by default. So the question really becomes "do we want to use recompilation as a hurdle to discourage use of this feature"... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040325084920.52837E-100000>