Hi,
by chance, i noticed that security(8) is careful to avoid scanning
filesystems of the types "afs", "nnpfs", and "procfs". According
to "ls /sbin/mount*", no such file systems are supported, and the
only page "man -ak any=afs any=nnpfs any=procfs" brings up seems
to be sshd_config(5) talking about KerberosGetAFSToken, which seems
tangentially related at best. Even pkg_locate(1) comes up empty-handed
with respect to mount_afs, mount_nnpfs, and mount_procfs.
Does anyone think that explicitely excluding these file system
types might still be useful, or is the following simplification
OK? No functional change intended.
Yours,
Ingo
Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.39
diff -U4 -p -r1.39 security
--- security14 Sep 2020 14:43:13 - 1.39
+++ security14 Sep 2020 15:11:07 -
@@ -539,11 +539,11 @@ sub find_special_files {
nag !(open my $fh, '-|', 'mount'),
"cannot spawn mount: $!"
and return;
while (<$fh>) {
- my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)(.*)/;
+ my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/;
$skip{$path} = 1 if $path &&
- ($type =~ /^(?:a|nnp|proc)fs$/ || $opt !~ /local/ ||
+ ($opt !~ /local/ ||
($opt =~ /nodev/ && $opt =~ /nosuid/));
}
close_or_nag $fh, "mount" or return;
