Re: ifmcstat(8) setgidness

Thu, 28 Jun 2001 23:38:37 -0700 

On Wed, Jun 27, 2001 at 06:29:15PM -0700, Dima Dorfman wrote:
> Ruslan Ermilov <[EMAIL PROTECTED]> writes:
> > On Wed, Jun 27, 2001 at 01:29:28AM -0700, Dima Dorfman wrote:
> > > Ruslan Ermilov <[EMAIL PROTECTED]> writes:
> > > > On Tue, Jun 26, 2001 at 03:04:07PM -0700, Dima Dorfman wrote:
> > > > > Hi folks,
> > > > > 
> > > > > Is there a particular reason, other than the desire for more setgid
> > > > > programs, that ifmcstat(8) is setgid kmem?  It seems that there's no
> > > > > reason anyone but root would want to use it, anyway.  OpenBSD and
> > > > > NetBSD already nuked its setgid bit; any reason why we shouldn't
> > > > > follow suit?
> > > > > 
> > > > $ ifmcstat
> > > > kvm_openfiles: Permission denied
> > > 
> > > I don't follow.  Yes, it needs access to kmem to work.  However, I
> > > don't see why anyone other than root would need to run it, so why is
> > > it setgid?  root can access kmem either way.
> > > 
> > Could you please elaborate on why it should be restricted to root only?
> 
> Because it looks like it doesn't provide any information that anyone
> other than the administrator would find useful (if I'm seeing things,
> please let me know), and the less setgid programs in the system the
> better our overworked security officer(s) sleep at night :-).
> 
Then why not make it installed with BINMODE=550 at least?

> > OpenBSD's and NetBSD's commitlogs are too terse.
> 
> This is quite an understatement!
> 
I meant these particular logs.  If you don't find these terse, my apologies:

: revision 1.2
: date: 2001/06/23 00:50:33;  author: deraadt;  state: Exp;  lines: +1 -1
: only root need apply

: revision 1.2
: date: 2001/06/26 17:10:33;  author: itojun;  state: Exp;  lines: +2 -2
: drop setgid.  suggested by deraadt


Cheers,
-- 
Ruslan Ermilov          Oracle Developer/DBA,
[EMAIL PROTECTED]           Sunbay Software AG,
[EMAIL PROTECTED]          FreeBSD committer,
+380.652.512.251        Simferopol, Ukraine

http://www.FreeBSD.org  The Power To Serve
http://www.oracle.com   Enabling The Information Age

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to