negative permission scanner for periodic/security
Ulrich Spörlein
uqs at spoerlein.net
Thu Oct 21 18:08:50 UTC 2010
On Thu, 14.10.2010 at 15:23:23 -0500, Brooks Davis wrote:
> One of the side effects of increasing NGROUPS_MAX is that it's possible
> for a process to be in more groups that can be transmitted over NFS
> (<4). When that happens users are mostly denied access to things they
> should have access to. However, permission evaluation order in unix
> means that groups can be denied access to files the world can read using
> so called negative permissions. I've written a scanner (derived from
> 100.chksetuid) for the periodic security script to flag such files as
> they post a security risk (and nearly all the time are errors). I've
> not bothered looking for negative user permissions as that isn't broken
> over NFS and assuming the file is not on a read-only FS the user can
> just give theselves permissions again.
>
> One minor note: Before enabling this by default, ~6 files in the ports
> repo need fixing as they have world execute bits without user or group
> execute bits.
>
> Should this be enabled by default? It think so, but welcome discussion.
I'm with you, but a couple of points to note:
- Many admins won't be familiar with this problem and might not go as
far as reading the periodic manpage for an explanation. Perhaps another
paragraph could be emitted -- iff we have a hit -- that explains why
periodic is checking the permissions.
- ufs,zfs is hardcoded, can't we get this list from somewhere else? We
support NFS exports of ext2fs filesystems, right?
- Not a problem for sane setups, but somewhere out there is a machine
where the resulting list might be several MB large. We currently don't
restrict the periodic mail to a certain size, perhaps we should start
doing this to avoid mailbox/mail system overflow?
Regards,
Uli
More information about the freebsd-hackers
mailing list