Hi Theo,
Theo de Raadt wrote on Mon, Sep 14, 2020 at 07:27:23AM -0600:
> I am happy enough with the diff, and also dislike having a flag.
> Can we get it commited
Done.
> and revisit the situation in 10 years?
I'm sorry, i cannot promise to keep my TODO list in order for ten
years, it often ta
Ingo Schwarze wrote:
> Hi Brian,
>
> Brian Brombacher wrote on Mon, Sep 14, 2020 at 07:55:11AM -0400:
>
> > Love the idea; however, the only drawback is if some Bad Person
> > is twiddling around and leaves a suid or dev around on a file system
> > that is nosuid or nodev, you lose visibility.
On Mon, 14 Sep 2020 13:40:03 +0200, Ingo Schwarze wrote:
> I think that is an interesting idea. That would be the patch below.
> Given that the function find_special_files() looks for SUID, SGID,
> and device files, i suggest this logic: skip a mount point if any
> of the following is true:
>
>
> On Sep 14, 2020, at 8:11 AM, Ingo Schwarze wrote:
>
> Hi Brian,
>
> Brian Brombacher wrote on Mon, Sep 14, 2020 at 07:55:11AM -0400:
>
>> Love the idea; however, the only drawback is if some Bad Person
>> is twiddling around and leaves a suid or dev around on a file system
>> that is nosu
Hi Brian,
Brian Brombacher wrote on Mon, Sep 14, 2020 at 07:55:11AM -0400:
> Love the idea; however, the only drawback is if some Bad Person
> is twiddling around and leaves a suid or dev around on a file system
> that is nosuid or nodev, you lose visibility.
Doesn't look like a problem to me; t
> On Sep 14, 2020, at 7:43 AM, Ingo Schwarze wrote:
>
> Hi Theo,
>
> Theo de Raadt wrote on Mon, Sep 14, 2020 at 04:06:08AM -0600:
>> Ingo Schwarze wrote:
>
>>> are used for. Some such file systems may permit SUID and/or device
>>> files, so not checking them may be a dubious idea.
>
>>
Hi Theo,
Theo de Raadt wrote on Mon, Sep 14, 2020 at 04:06:08AM -0600:
> Ingo Schwarze wrote:
>> are used for. Some such file systems may permit SUID and/or device
>> files, so not checking them may be a dubious idea.
> The script could identify mountpoints with safer mount options and
> reduc
Ingo Schwarze wrote:
> are used for. Some such file systems may permit SUID and/or device
> files, so not checking them may be a dubious idea.
The script could identify mountpoints with safer mount options and
reduce scanning on them.
That will also encourage admins to use restrictive mount op
Hi Todd,
Todd C. Miller wrote on Sun, Sep 13, 2020 at 03:13:04PM -0600:
> On Sun, 13 Sep 2020 09:17:02 -, Rupert Gallagher wrote:
>> Since /usr/libexec/security runs blindly on every attached storage
>> media, it also runs on mounted tape and backup data volumes.
> It might be best to only c
On Sun, 13 Sep 2020, Theo de Raadt wrote:
Rupert Gallagher wrote:
This is stupid.
Your tone is the real stupid.
Well, at least it is not diabolic like the infame tritone.
Rod.
On Sun, 13 Sep 2020 09:17:02 -, Rupert Gallagher wrote:
> Since /usr/libexec/security runs blindly on every attached storage media, it
> also runs on mounted tape and backup data volumes.
It might be best to only check file systems listed in /etc/fstab
that don't have noauto in the options f
Since /usr/libexec/security runs blindly on every attached storage media, it
also runs on mounted tape and backup data volumes. This is stupid.
Rupert Gallagher wrote:
> This is stupid.
Your tone is the real stupid.
13 matches
Mail list logo
