Date: Sun, 25 Jun 2006 02:06:16 -0600 (MDT) From: "M. Warner Losh" <imp@bsdimp.com> To: jrh29@eecs.cwru.edu Cc: freebsd-current@freebsd.org Subject: Re: ~/.hosts patch Message-ID: <20060625.020616.2040338822.imp@bsdimp.com> In-Reply-To: <C41481BC-89F3-457E-9FD0-CB85CE7B93E7@eecs.cwru.edu> References: <C41481BC-89F3-457E-9FD0-CB85CE7B93E7@eecs.cwru.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <C41481BC-89F3-457E-9FD0-CB85CE7B93E7@eecs.cwru.edu>
Justin Hibbits <jrh29@eecs.cwru.edu> writes:
: Hey folks, got an interesting patch. This adds a ~/.hosts file
: (personal version of /etc/hosts). It was written against 6-STABLE
: about a week before 6.1 was released, and has been sitting collecting
: dust for the last month and a half. Currently it augments /etc/hosts
: instead of replacing it or prepending it. Any comments? One
: suggestion that was made was to make it an nss module so that it
: could be controlled by the admin. It probably could use some cleanup
: as well, just putting it out here for proof of concept for now, and
: some direction.
I specifically disabled similar functionality for setuid programs when
I was security officer. It was for HOSTALIAS files. These are files
that are read through the HOSTALIAS environment variable. this was
implemented in resolv/res_query.c. similar to what you've listed here.
Your check for setuid is insuffient. You should use issetugid()
rather than the tests against euid and uid which can fail and doesn't
take groups into account at all.
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/3524 contains all the
details, such as it is.
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060625.020616.2040338822.imp>