On Thu, 14.10.2010 at 15:23:23 -0500, Brooks Davis wrote: > One of the side effects of increasing NGROUPS_MAX is that it's possible > for a process to be in more groups that can be transmitted over NFS > (<4). When that happens users are mostly denied access to things they > should have access to. However, permission evaluation order in unix > means that groups can be denied access to files the world can read using > so called negative permissions. I've written a scanner (derived from > 100.chksetuid) for the periodic security script to flag such files as > they post a security risk (and nearly all the time are errors). I've > not bothered looking for negative user permissions as that isn't broken > over NFS and assuming the file is not on a read-only FS the user can > just give theselves permissions again. > > One minor note: Before enabling this by default, ~6 files in the ports > repo need fixing as they have world execute bits without user or group > execute bits. > > Should this be enabled by default? It think so, but welcome discussion.
I'm with you, but a couple of points to note: - Many admins won't be familiar with this problem and might not go as far as reading the periodic manpage for an explanation. Perhaps another paragraph could be emitted -- iff we have a hit -- that explains why periodic is checking the permissions. - ufs,zfs is hardcoded, can't we get this list from somewhere else? We support NFS exports of ext2fs filesystems, right? - Not a problem for sane setups, but somewhere out there is a machine where the resulting list might be several MB large. We currently don't restrict the periodic mail to a certain size, perhaps we should start doing this to avoid mailbox/mail system overflow? Regards, Uli _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[email protected]"
