Date: Wed, 26 Jul 2000 11:10:06 -0700 From: Marcel Moolenaar <marcel@cup.hp.com> To: Warner Losh <imp@village.org> Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc Makefile src/include Makefile src/release Makefile src/release/picobsd/build Makefile.mfs src/release/picobsd/custom Makefile.mfs src/release/picobsd/dial Makefile.mfs src/release/picobsd/install Makefile.mfs Message-ID: <397F297E.2E7D6C37@cup.hp.com> References: <20000726211733.B50294@nagual.pp.ru> <200007252213.PAA34677@netplex.com.au> <10733.964597601@localhost> <200007261456.IAA11238@nomad.yogotech.com> <20000726125721.Z51462@jade.chc-chimes.com> <200007261659.KAA11807@nomad.yogotech.com> <397F1B6F.46320037@cup.hp.com> <200007261738.LAA30792@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote: > > [[ CCs trimmed ]] > > In message <20000726211733.B50294@nagual.pp.ru> "Andrey A. Chernov" writes: > : On Wed, Jul 26, 2000 at 10:10:07AM -0700, Marcel Moolenaar wrote: > : > The question I have is why do we then want to change mtree back to the > : > "insecure" behaviour? > : > : I already answer this once. Mtree _as_application_ is just userland > : program and can't be secure or insecure. It must act how it was originally > : designed to make less confuse to users which know this application. And > : it was designed with defaults to PHYSICAL. > : > : Since we use this application to create system directories, which _is_ > : security issue, I add -L to handle that case. > > Yes. mtree should be PHYSICAL. That's what BSD traditionally does > and that's what the other BSDs still do. It would be a security issue > to have it do something different by default, despite FreeBSD's larger > install base. I'm not disagreeing; I'm just playing devils advocate. People are using security in ambiguous ways, IMO. > Second problem is the one Peter and others have raised. Namely that > if you have sybolic links for your sys tree, which is fully supported, > then the files that you used to own will become owned by root when > you do the installworld. Which is a security issue as well, right? > The one area that Andrey and I don't agree on at the moment is if it > should be on by default or off by default. I guess the first person > to find time to implement it will get to choose :-). I think the mtree default should be good enough for the build process. > Maybe this issue needs to be addressed in a more creative way. If we > were to update /etc/security to warn of these insecure directories, > then we could easily have -L off and the system admin would know, via > the handbook docs that we could write, to run mtree -L once to fix the > problems. I can remember, fuzzy though, that my OS at that time, NetBSD IIRC, had exactly that. It did a daily scan over the disk to report any mismatches on MODs and ownership. I don't know the details anymore and am probably mistaken... It sounds like a good solution with a general function, though. -- Marcel Moolenaar mail: marcel@cup.hp.com / marcel@FreeBSD.org tel: (408) 447-4222 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397F297E.2E7D6C37>