When you first posted, you neglected to mention that your patch included
a deny list (/etc/sh.deny). This puts a different spin on things. :-)
While it sounds attractive on the surface, think how easy it is to work
around -- the exploit code must simply change its progname to something
which will never be in /etc/sh.deny (e.g. login).
So your patch scores something useful for a week, whereafter the script
kiddies catch up and we're back to square one. :-)
No, if this is to be done, it's with per-process credentials. Someone
is already working on such a system for FreeBSD. Since you seem
interested in helping out with the process of hardening FreeBSD, I urge
you to contact Robert Watson, who's spearheading the current hardening
You can reach him at Robert Watson <robert+free...@cyrus.watson.org>.
Thanks for your interest in a more secure FreeBSD. :-)
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message