|John Polstra||Jul 26, 2000 7:35 pm|
|Chris Costello||Jul 26, 2000 8:54 pm|
|Nate Williams||Jul 26, 2000 10:54 pm|
|Mark Murray||Jul 26, 2000 11:15 pm|
|Warner Losh||Jul 26, 2000 11:24 pm|
|Adrian Chadd||Jul 27, 2000 12:03 am|
|Poul-Henning Kamp||Jul 27, 2000 12:30 am|
|Alfred Perlstein||Jul 27, 2000 12:44 am|
|Jacques A. Vidrine||Jul 27, 2000 5:50 am|
|Neil Blakey-Milner||Jul 27, 2000 5:52 am|
|Jacques A. Vidrine||Jul 27, 2000 6:38 am|
|Daniel O'Connor||Jul 27, 2000 6:44 am|
|Neil Blakey-Milner||Jul 27, 2000 6:47 am|
|Robert Watson||Jul 27, 2000 8:14 am|
|Alfred Perlstein||Jul 27, 2000 9:39 am|
|Jacques A. Vidrine||Jul 27, 2000 11:03 am|
|Ollivier Robert||Jul 27, 2000 12:32 pm|
|John Polstra||Jul 27, 2000 9:28 pm|
|John Polstra||Jul 27, 2000 9:38 pm|
|Alexander Leidinger||Jul 28, 2000 5:09 am|
|John Polstra||Jul 28, 2000 8:21 am|
|Subject:||Re: How much security should ldconfig enforce?|
|From:||Robert Watson (rwat...@freebsd.org)|
|Date:||Jul 27, 2000 8:14:33 am|
On Thu, 27 Jul 2000, Jacques A. Vidrine wrote:
On Wed, Jul 26, 2000 at 07:36:13PM -0700, John Polstra wrote:
3. It could default to strictly secure but accept a command-line option to relax the constraints. And an rc.conf knob could be added to control whether or not it was strict at boot time.
I like this option, but the knob should be compile-time, IMHO.
I would support either the "revert" or (3) option, but definitely not support this being a compile-time flag. I should not have to recompile the operating system to allow our netsec group to have a /netsec/lib with different maintainers for different operating systems. Especially in NFS environments, placing requirements on permissions and ownership for directories is a very poor idea. In general, the UNIX mechanism has been to implement tools, but not policies, for which we already have quite a sufficient discretionary access control mechanism. In general, we don't check permissions on the /etc directory, we assume that it is set correctly during the install, and that if the user wants to change it, that is their perogative. The same goes for group files, etc. In the future, once we have a mandatory access control policy, integrity protection can be used to protect users from shared libraries of low integrity.
So my preference here is: permissions and ownership in the base install are fine. The default compile (and preferably install) should allow users to include group-writable shared library paths, if not world-writable paths. Consider our adduser implementation: each user is in their own group anyway :-).
Robert N M Watson
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message