Re: What is "negative group permissions"? (Re: narawntapu security run output)
On Mon, Dec 24, 2012 at 03:27:57PM +, jb wrote: > Mikhail T. aldan.algebra.com> writes: > > > > > On 23.12.2012 11:48, Chris Rees wrote: > > > They involve a lot of thought to get right, as well as chmod g-w on > > > something where you probably meant chmod go-w is a disastrous but > > > (perhaps) common error. Chris > > > > Well, in (over 20) years of dealing with Unix, I've never made a mistake > > like that, nor do I understand, how it can be considered "common" ... > > Got to admit, I was surprised to see it. It made me think, I do not > > understand something -- or that FreeBSD is becoming overly > > paternalistic. It turned out to be the latter... > > > > I doubt, it is useful. Worse, issuing such warnings routinely, only > > reinforces the unfortunate misconceptions like the one Barney > > demonstrated in this thread. When originally added, the check was meant > > to be off by default: > > ... > > perhaps, it should have remained off? Yours, > > Those security checks are for a reason - people make mistakes (even a perfect > guy like you will have a "head in a brown bag" time). > It is better to get a heads-up, then think about it and turn it off > (customize) > if considered unneeded. This specific check is there and on by default because you CAN NOT rely on negative group permissions unless you never use more than 14 groups or never use NFS. The check is a compromise I implemented as part of the switch to allowing large number of groups per user (technically per-process). Users who wish to use them and know what they are doing can easily turn it off. IIRC the reason it was off by default to start with is that I wanted to MFC it but it's been a long time so I'm no longer certain. -- Brooks pgpgTrzT6zRm2.pgp Description: PGP signature
ppc fails to attach to puc on 9.1-STABLE, 7.4-STABLE works
I want my printer port back on 9.1 ;-( I have this card: puc0@pci0:4:1:0:class=0x078000 card=0x00121000 chip=0x98359710 rev=0x01 hdr=0x00 vendor = 'NetMos Technology' device = 'PCI 9835 Multi-I/O Controller' class = simple comms It attached and worked under 7.4-STABLE (as long as I disabled the interrupt using hint.ppc.0.irq=""): puc0: port 0xdf00-0xdf07,0xde00-0xde07,0xdd00-0xdd07 ,0xdc00-0xdc07,0xdb00-0xdb07,0xda00-0xda0f irq 17 at device 1.0 on pci4 puc0: [FILTER] uart0: on puc0 uart0: [FILTER] uart1: on puc0 uart1: [FILTER] ppc0: on puc0 ppc0: Generic chipset (ECP/EPP/PS2/NIBBLE) in ECP+EPP mode (EPP 1.9) ppbus0: on ppc0 lpt0: on ppbus0 lpt0: Polled port Under 9.1 the card does not attach the ppc anymore. The hint entries hint.ppc.0.at=puc0 hint.ppc.0.irq="" hint.ppc.0.flags=0x2F get ignored and so it probes as ppc1 (failing due to the interrupt problem as it was in 7.4 without hints): puc0: port 0xdf00-0xdf07,0xde00-0xde07,0xdd00-0xdd07 ,0xdc00-0xdc07,0xdb00-0xdb07,0xda00-0xda0f irq 17 at device 1.0 on pci4 uart2: at port 1 on puc0 uart3: <16550 or compatible> at port 2 on puc0 ppc1: at port 3 on puc0 ppc1: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode ppc1: failed to register interrupt handler: 6 device_attach: ppc1 attach returned 6 Any ideas? How do I construct the hint entries under 9.1 so that 1. it does not want to use the interrupt (which made it attach under 7.4) 2. it takes the flags 0x2F as it did before. I have also never understood if ppc itself needs to attach to the irq as well (I thought this all would be handled by puc). Thanks, -Andre ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
