From owner-freebsd-hackers Wed Oct 6 13: 8:44 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 0FE9915766 for ; Wed, 6 Oct 1999 13:08:35 -0700 (PDT) (envelope-from dcs@newsguy.com) Received: from newsguy.com (p20-dn03kiryunisiki.gunma.ocn.ne.jp [210.232.224.149]) by peach.ocn.ne.jp (8.9.1a/OCN) with ESMTP id FAA23671; Thu, 7 Oct 1999 05:08:27 +0900 (JST) Message-ID: <37FBAB2B.9DA092DD@newsguy.com> Date: Thu, 07 Oct 1999 05:03:55 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.6 [en] (Win98; I) X-Accept-Language: en,pt-BR,ja MIME-Version: 1.0 To: Joe Abley Cc: Conrad Minshall , FreeBSD Hackers Subject: Re: Apple's planned appoach to permissions on movable filesystems References: <199910052119.OAA24627@scv1.apple.com> <37FB5A53.3E016EFA@newsguy.com> <19991007073435.A20998@patho.gen.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Joe Abley wrote: > > On Wed, Oct 06, 1999 at 11:18:59PM +0900, Daniel C. Sobral wrote: > > One would better assume that files available over NFS will be read > > by anyone who wants, and, likewise, that files available on > > removable media will be read by anyone who wants. That side of the > > problem does not belong to this discussion. > > > > [...] > > > > The question here is how to minimize the cost/benefit ratio of > > letting users mount external file systems on their own. At the very > > least, the system must never trust that data. Ergo, no suid/sgid. > > Show me a disk that's _not_ removable. By your logic we would have _no_ > sguid/sgid binaries _ever._ Please, don't give me this crap. "Removable media" is a very well-defined terminology. > Physical access to a machine is always a security risk. Why would you > treat easily-removable media any differently to slightly-harder-to-remove > media? You still need to break into the vault to remove them. Why? Because in latter case you do not expect users to remove (or insert, which is that case above) media in the system, except as a serious breach in physical security, and in the former case you *EXPECT* and *PROVIDE THE MEANS FOR* the user change the media. That makes all the difference. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org "I always feel generous when I'm in the inner circle of a conspiracy to subvert the world order and, with a small group of allies, just defeated an alien invasion. Maybe I should value myself a little more?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message