[HEADSUP] Disallowing read() of a directory fd

Julian H. Stacey jhs at berklix.com
Sat May 16 17:58:57 UTC 2020 

Kyle Evans wrote:
> On Sat, May 16, 2020 at 10:18 AM Julian H. Stacey <jhs at berklix.com> wrote:
> >
> > Another use of "cat ." is to see names of transient files a tool
> > creates, & normaly deletes, if not aborting, so one can find same
> > name junk elsewhere, & search for tool causing junk,
> > & ensure other data files avoid using names that would be zapped.
> >
> > While blocking "cat ." might be worked round if not in a jail, &
> > or if using fsdb & sysctl etc, it would add to a more BSD specific
> > environment, where standard portable Unix skills was insufficient,
> > & more time needed to search & learn BSD extras.  Every obstacle
> > costs employers time = money.
> >
> 
> This scenario is just a bit too generic for me to be able to relate
> to, because I've never been in a situation where I would've had to or
> just randomly used `cat .` to discover junk files.

Yes, it's a rare usage, I dont do it often.

> This also isn't
> really a transferable skill to other modern OS and filesystems, as
> oftentimes they won't or can't give you anything useful with read(2).
> 
> That said, I've written a MAC policy that can live atop the current
> patch to lift all of the restrictions except the sysctl needing to be
> set: https://people.freebsd.org/~kevans/mac-read_dir.diff -> I could
> even be convinced fairly easily to commit it, if you'd find that
> acceptable. The policy ends up looking generically useful, as you can
> lift just the jail root restriction or you can allow any user to cat a
> directory.
> 
> Thanks,
> 
> Kyle Evans

Thanks,
It's good if its all sysctl without reboot, (taking (phk's I recall) point
about an fs not surviving a reboot)

It sounds useful, if it allows 3 or is that more ? way choice between eg
{old v. new} x { root v. non root } x { inside a jail v. outside } = 8 ?

If all of that, I guess we'd just be down to a relaxed consideration about
what default mode was for now & later.

If there was change there, we'd need to check what policy is about giving
advance notice of changes in RELNOTES.

If RELNOTES required long notice than wanted , that could be worked round
easily by implementing code, & merely issuing notice that defaults would
change to new policy later at releasese x.y.

I took a quick glance at
https://people.freebsd.org/~kevans/mac-read_dir.diff but I'm sorry
loads of real life distraction here. I'm sure others will want to
read it. Thanks for working hard to cater for all cases ! :-)

Cheers
--
Julian Stacey, Consultant Systems Engineer, BSD Linux http://berklix.com/jhs/
http://www.berklix.org/corona/#masks  Tie 2 handkerchiefs or 1 pillow case. 
Jobs & economy hit by Corona to be hit again by Crash Brexit 31st Dec. 2020

More information about the freebsd-hackers mailing list