How to skip security(8) special file check

Sun, 15 Oct 2023 11:05:34 -0700 

Dear colleagues,

In the attached security-special-files-1.diff I have documented
the changes from 2020 to the security(8) special file checks.
The 2020 changes are those based on ideas from Rupert Gallagher and
Todd Miller on misc@.

I don't like how complicated I made the documentation, so
I also propose an alternative: Change security(8) to allow
shorter documentation. This is in security-special-files-2.diff.

Here is an example of the difference. Consider running security(8)
with SUIDSKIP=/v in the environment and with the following lines
printed by mount(8).

  /dev/sd5f on /v type ffs (local, noatime)
  /dev/sd5g on /v/1 type ffs (local, noatime)

With the current approach (security-skip-suid-1.diff), the tree
under /v/1 is checked and everything else under /v is skipped.
With the alternative (security-skip-suid-2.diff), everything
under /v is skipped.

I find it easier to explain and understand the approach
in security-skip-suid-2.diff. If that approach is unwelcome,
I propose security-skip-suid-1.diff to document the current approach,

With great honour,
Ibsen S Ripsbusker

Index: share/man/man8/security.8
===================================================================
RCS file: /cvs/src/share/man/man8/security.8,v
retrieving revision 1.26
diff -u -p -r1.26 security.8
--- share/man/man8/security.8   13 Jul 2017 19:16:33 -0000      1.26
+++ share/man/man8/security.8   15 Oct 2023 17:34:28 -0000
@@ -58,6 +58,14 @@ Check NFS
 file for global export entries.
 .It
 Check for changes in setuid/setgid files and devices.
+Skip this check for a particular file if
+the file's filesystem is non-local;
+the file's filesystem is mounted with both
+.Dq nodev
+and
+.Dq nosuid ;
+or
+.Ev SUIDSKIP references the file or an ancestor on the same filesystem.
 .It
 Check disk ownership and permissions.
 .It
@@ -130,6 +138,7 @@ Avoid trailing slashes.
 .Sh SEE ALSO
 .Xr changelist 5 ,
 .Xr daily 8 ,
+.Xr mount 8
 .Xr mtree 8
 .Sh HISTORY
 A

Index: libexec/security/security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.41
diff -u -p -r1.41 security
--- libexec/security/security   11 Oct 2020 18:28:17 -0000      1.41
+++ libexec/security/security   15 Oct 2023 17:32:58 -0000
@@ -26,6 +26,7 @@ use Fcntl qw(O_RDONLY O_NONBLOCK :mode);
 use File::Basename qw(basename);
 use File::Compare qw(compare);
 use File::Copy qw(copy);
+use List::Util qw(any);
 require File::Find;
 
 use constant {
@@ -542,6 +543,7 @@ sub find_special_files {
        while (<$fh>) {
                my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/;
                push @fs, $path if $path && $opt =~ /local/ &&
+                   !(any {substr($path, 0, (length $_) + 1) eq ($_ . "/")} 
(keys %skip)) &&
                    !($opt =~ /nodev/ && $opt =~ /nosuid/);
        }
        close_or_nag $fh, "mount" or return;
Index: share/man/man8/security.8
===================================================================
RCS file: /cvs/src/share/man/man8/security.8,v
retrieving revision 1.26
diff -u -p -r1.26 security.8
--- share/man/man8/security.8   13 Jul 2017 19:16:33 -0000      1.26
+++ share/man/man8/security.8   15 Oct 2023 17:33:00 -0000
@@ -58,6 +58,12 @@ Check NFS
 file for global export entries.
 .It
 Check for changes in setuid/setgid files and devices.
+Skip this check for non-local filesystems, for filesystems mounted as both
+.Dq nodev
+and
+.Dq nosuid ,
+and for paths set in
+.Ev SUIDSKIP .
 .It
 Check disk ownership and permissions.
 .It
@@ -130,6 +136,7 @@ Avoid trailing slashes.
 .Sh SEE ALSO
 .Xr changelist 5 ,
 .Xr daily 8 ,
+.Xr mount 8
 .Xr mtree 8
 .Sh HISTORY
 A

Reply via email to