Re: What is "negative group permissions"? (Re: narawntapu security run output)
On Mon, Dec 24, 2012 at 03:27:57PM +, jb wrote: > Mikhail T. aldan.algebra.com> writes: > > > > > On 23.12.2012 11:48, Chris Rees wrote: > > > They involve a lot of thought to get right, as well as chmod g-w on > > > something where you probably meant chmod go-w is a disastrous but > > > (perhaps) common error. Chris > > > > Well, in (over 20) years of dealing with Unix, I've never made a mistake > > like that, nor do I understand, how it can be considered "common" ... > > Got to admit, I was surprised to see it. It made me think, I do not > > understand something -- or that FreeBSD is becoming overly > > paternalistic. It turned out to be the latter... > > > > I doubt, it is useful. Worse, issuing such warnings routinely, only > > reinforces the unfortunate misconceptions like the one Barney > > demonstrated in this thread. When originally added, the check was meant > > to be off by default: > > ... > > perhaps, it should have remained off? Yours, > > Those security checks are for a reason - people make mistakes (even a perfect > guy like you will have a "head in a brown bag" time). > It is better to get a heads-up, then think about it and turn it off > (customize) > if considered unneeded. This specific check is there and on by default because you CAN NOT rely on negative group permissions unless you never use more than 14 groups or never use NFS. The check is a compromise I implemented as part of the switch to allowing large number of groups per user (technically per-process). Users who wish to use them and know what they are doing can easily turn it off. IIRC the reason it was off by default to start with is that I wanted to MFC it but it's been a long time so I'm no longer certain. -- Brooks pgpgTrzT6zRm2.pgp Description: PGP signature
Re: What is "negative group permissions"? (Re: narawntapu security run output)
On 24 December 2012 10:27, jb wrote: > Those security checks are for a reason - people make mistakes (even a perfect > guy like you will have a "head in a brown bag" time). > It is better to get a heads-up, then think about it and turn it off > (customize) > if considered unneeded. +1. Default to helping the new user (or the user that makes mistakes). -- Eitan Adler ___ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
Re: What is "negative group permissions"? (Re: narawntapu security run output)
Mikhail T. aldan.algebra.com> writes: > > On 23.12.2012 11:48, Chris Rees wrote: > > They involve a lot of thought to get right, as well as chmod g-w on > > something where you probably meant chmod go-w is a disastrous but > > (perhaps) common error. Chris > > Well, in (over 20) years of dealing with Unix, I've never made a mistake > like that, nor do I understand, how it can be considered "common" ... > Got to admit, I was surprised to see it. It made me think, I do not > understand something -- or that FreeBSD is becoming overly > paternalistic. It turned out to be the latter... > > I doubt, it is useful. Worse, issuing such warnings routinely, only > reinforces the unfortunate misconceptions like the one Barney > demonstrated in this thread. When originally added, the check was meant > to be off by default: > ... > perhaps, it should have remained off? Yours, Those security checks are for a reason - people make mistakes (even a perfect guy like you will have a "head in a brown bag" time). It is better to get a heads-up, then think about it and turn it off (customize) if considered unneeded. jb ___ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
Re: What is "negative group permissions"? (Re: narawntapu security run output)
On 23.12.2012 11:48, Chris Rees wrote: They involve a lot of thought to get right, as well as chmod g-w on something where you probably meant chmod go-w is a disastrous but (perhaps) common error. Chris Well, in (over 20) years of dealing with Unix, I've never made a mistake like that, nor do I understand, how it can be considered "common" ... Got to admit, I was surprised to see it. It made me think, I do not understand something -- or that FreeBSD is becoming overly paternalistic. It turned out to be the latter... I doubt, it is useful. Worse, issuing such warnings routinely, only reinforces the unfortunate misconceptions like the one Barney demonstrated in this thread. When originally added, the check was meant to be off by default: r215213 | brooks | 2010-11-12 19:40:43 -0500 (пт, 12 лис 2010) | 7 lines Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week perhaps, it should have remained off? Yours, -mi ___ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
Re: What is "negative group permissions"? (Re: narawntapu security run output)
On 23 December 2012 16:23, Barney Wolff wrote: [moving Barney's top post down] > On Sun, Dec 23, 2012 at 10:51:24AM -0500, Mikhail T. wrote: >> On 23.12.2012 03:05, Charlie Root wrote: >> > Checking negative group permissions: >> > 8903027 -rw--w-r-- 1 miwww794277 Oct 23 07:47:45 2007 >> > /home/mi/public_html/syb/order/download.log >> Hello! >> >> The above started to appear in the daily security run output after I >> upgraded to 9.1. I don't understand, what this check is doing or why the >> above file is reported -- what's abnormal (warning-worthy) about >> allowing the web-server to write to, but not read a file? I did it on >> purpose to keep all files associated with a project together, but >> without inadvertently serving some of them... > > The r for other means that you have not accomplished your goal. It makes > no sense to have group with less permission that other, so the script is > warning of a misconfiguration. Not at all; anything in www group can't read the file, which is what Mikhail wants to do. If he has thought about the consequences of exactly what this means; i.e. normal users can read-only, www group can write-only, mi can read/write, then he can ignore the warning. Negative group permissions are sometimes useful, that's why they're allowed. >> I understand, I can explicitly disable it, but I'm curious... Whether it >> should run by default or not, what is the purpose of it? They involve a lot of thought to get right, as well as chmod g-w on something where you probably meant chmod go-w is a disastrous but (perhaps) common error. Chris ___ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
Re: What is "negative group permissions"? (Re: narawntapu security run output)
The r for other means that you have not accomplished your goal. It makes no sense to have group with less permission that other, so the script is warning of a misconfiguration. On Sun, Dec 23, 2012 at 10:51:24AM -0500, Mikhail T. wrote: > On 23.12.2012 03:05, Charlie Root wrote: > > Checking negative group permissions: > > 8903027 -rw--w-r-- 1 miwww794277 Oct 23 07:47:45 2007 > > /home/mi/public_html/syb/order/download.log > Hello! > > The above started to appear in the daily security run output after I > upgraded to 9.1. I don't understand, what this check is doing or why the > above file is reported -- what's abnormal (warning-worthy) about > allowing the web-server to write to, but not read a file? I did it on > purpose to keep all files associated with a project together, but > without inadvertently serving some of them... ___ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
What is "negative group permissions"? (Re: narawntapu security run output)
On 23.12.2012 03:05, Charlie Root wrote: Checking negative group permissions: 8903027 -rw--w-r-- 1 miwww794277 Oct 23 07:47:45 2007 /home/mi/public_html/syb/order/download.log Hello! The above started to appear in the daily security run output after I upgraded to 9.1. I don't understand, what this check is doing or why the above file is reported -- what's abnormal (warning-worthy) about allowing the web-server to write to, but not read a file? I did it on purpose to keep all files associated with a project together, but without inadvertently serving some of them... The actual script generating this warning (110.neggrpperm) was added in 2010 and meant to be off by default. There is no explicit mention of the knob daily_status_security_neggrpperm_enable in the log for etc/defaults/periodic.conf... I understand, I can explicitly disable it, but I'm curious... Whether it should run by default or not, what is the purpose of it? Thanks, -mi ___ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
