From owner-cvs-all Tue Jan 15 19:55:31 2002 Delivered-To: cvs-all@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4270037B400; Tue, 15 Jan 2002 19:55:19 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0G3tED61222; Tue, 15 Jan 2002 22:55:14 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 15 Jan 2002 22:55:14 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Greg Lehey Cc: Ruslan Ermilov , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/man/man Makefile man.c src/etc/mtree BSD.local.dist BSD.usr.dist BSD.x11-4.dist BSD.x11.dist In-Reply-To: <20020116132917.K78030@wantadilla.lemis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 16 Jan 2002, Greg Lehey wrote: > > The catpaging and setuidness features of man(1) combined make > > it vulnerable to a number of security attacks. ... > > > > This means man(1) can no longer create system catpages on a > > regular user's behalf. (It is still able to if the user has > > write permissions to the directory holding catpages, e.g., > > user's own manpages, or if the running user is ``root''.) > > Hmm. I can see the security implications, but you'd need to compromise > the system in the first place in order to break it, so it's not the most > likely thing on earth. On the other hand, many people don't have such > extreme security requirements, and they might get a little upset by the > change. It's actually not all that unusual to decide not to grant root privilege to all users on a FreeBSD system. In fact, I think you'll find that many consumers of FreeBSD don't care for the idea that someone compromising Joe Customer's FreeBSD account get root access. Maybe even most. There's a lot of risk involved here, not all that disimilar to the risk involved in setuid suidperl. We turn that off by default, and users can always turn it on if they need it. One of the important activities we can do to make FreeBSD more secure for our userbase is to be conservative about how we configure the system: not turning on known risky daemons by default, especially when most users don't use them, for example. This seems like a natural extension, especially given the speed of modern machines, and the existance of a catman distribution (see below). > > To create and install catpages during ``make world'', please set > > MANBUILDCAT=YES in /etc/make.conf. > > This won't help people installing from CD-ROM. It also takes up a lot > of space. It would be nice to think of an alternative, like maybe a > private catman directory for non-root users. We have a catman distribution already, I believe, which can be enabled in sysinstall. Maybe it's time to make it part of the default install, if it isn't already. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message