Re: File create permissions, what am I missing?
Greg Black wrote: On 2005-08-13, Jo�o Carlos Mendes Lu�s wrote: Brooks Davis wrote: On BSD systems, the group of a file is always the group of the directory it is in. This differs from SysV UNIX. The resident grey-beard at work feels this is a new and annoying behavior. (i.e. it wasn't always this way. :) So this is expected behavior? Isn't this someway insecure? It is documented behaviour (see open(2) for details). How is it insecure? I don't know how it could be unsecure. Is there any specifc reason for it to be different on SYSV and Linux? Or is it just a different choice? I could not find any vulnerability, but I do not like the idea that a user could create files belonging to a group himself does not belong. My first attempt was to mark this file setgid, but the system denies it: It is my file, but I am not in the file's group. That would be too easy. ;-) Nevertheless, if somebody leaves a directory writeable by anoybody, he should know what he's doing. If I could just make /tmp not writeable...;-) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: File create permissions, what am I missing?
On Sun, Aug 14, 2005 at 03:01:52AM -0300, João Carlos Mendes Luís wrote: I could not find any vulnerability, but I do not like the idea that a user could create files belonging to a group himself does not belong. It can come in handy sometimes. I have apache setup in a specific group. The document root on which it operates is owned by a user that owns that website. The group owner of that directory is set to the apache group, and luckily the user does not need to be in that group. This way a user can control availability of files on the web by simply denying group access, without needing to belong to yet another group just for the sake of being able to do just that. --Stijn -- I'm not under the alkafluence of inkahol that some thinkle peep I am. It's just the drunker I sit here the longer I get. pgpR6NL3YANNO.pgp Description: PGP signature
Re: File create permissions, what am I missing?
On 2005-08-14, João Carlos Mendes LuÃs wrote: Greg Black wrote: On 2005-08-13, Jo�o Carlos Mendes Lu�s wrote: Brooks Davis wrote: On BSD systems, the group of a file is always the group of the directory it is in. This differs from SysV UNIX. The resident grey-beard at work feels this is a new and annoying behavior. (i.e. it wasn't always this way. :) So this is expected behavior? Isn't this someway insecure? It is documented behaviour (see open(2) for details). How is it insecure? I don't know how it could be unsecure. So why suggest that it is? If you find something that is actually insecure, by all means bring it to people's attention; but don't just randomly speculate without any evidence. The mere fact that it's unfamiliar to you or somehow different from your normal expectations is not in itself sufficient reason to proclaim that there's a problem. Is there any specifc reason for it to be different on SYSV and Linux? Or is it just a different choice? It's a different (and IMO better) choice. And if you care about the reasons, by all means track down the different histories that led to the choices that were made. But that's not really a topic to flog to death here. I could not find any vulnerability, but I do not like the idea that a user could create files belonging to a group himself does not belong. He can only do this if he has write permission in the directory in question and of course he also has write permission to the file. The fact that it might belong to a group he is not a member of is irrelevant to security. As has been pointed out, there are some useful things that you can do with this feature and, as always with these things, it's important to understand how things work before setting out to use them. And, while I'm at it, I'd point out that these questions are better put on the questions list, as they are not really in the domain of this list. Greg ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 5.4 -- bridging, ipfw, dot1q
Dan Mahoney, System Admin wrote: should be in -net not -hackers cc's changed accordingly.. After all, the demuxing is nothing more than ignoring a few extra bits at the beginning of the packet. Which all my BPF stuff is doing nicely. Snort, trafshow, etc all work fine and don't seem to choke on the extra frames. I'd personally just be happy if ipfw was smart enough to know that if I was using ip-type rules on something that's not ip...that it would handle the demuxing automagically. i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan via em1 or maybe i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan-as-inet via em1 Hi Dan. What it comes down to is just that no-one who has worked in ipfw has had your particular problem to solve. O/S gets done when people have a particular problem to solve. As for demultiplexing, well, you COULD pass it out to a netgraph node that strips off the header and stores the info in a tag, and then passes it back to ipfw, but I don't know how the details would work. (I haven't been in ifpw since it was rewritten). Alternatively you could use netgraph bridging and tehnetgraph vlan node type to achieve some sort of stripping.. (Once again, I'm just pointing you in this direction, not providing a full answer.) In 6.x netgraph has more options for this sort of thing with a direct interface between ipfw and netgraph. So, if you want to fix it, you could either do some work on ipfw or do some work on netgraph, but either way you'll probably need to do some work. Julian ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
why nfs does not export ext2fs
Can freebsd export ext2fs as nfs mounts? why it gives error like... ext2fs doesn't support the old mount syscall. When i was looking for an answer this, i saw several people tried to patch the code? Anybody know possible solution? Please let me know at least place to find answer? Thank You Very much. Tharindu R. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Converting libfoo.so for linux to freebsd
On Tue, 9 Aug 2005, M. Warner Losh wrote: In message: [EMAIL PROTECTED] Bernd Walter [EMAIL PROTECTED] writes: : On Tue, Aug 09, 2005 at 01:37:34PM -0600, M. Warner Losh wrote: : I have recently purcahsed a device that comes with a .so for linux, : but no sources. Is there any way one can take an arbitrary linux .so : which appears to have no dependencies to a FreeBSD .so? The binary : code is about 20k or so. : : Isn't this just brandelf'ing to FreeBSD-i386? : Asuming that the lib really has no dependencies to linux specific : device/kernel features or linux specific libs. I tried brandelfing, but that didn't work. There's some weird symbols in there: DF *UND* 0023 GLIBC_2.0 fprintf DF *UND* 00f8 GLIBC_2.0 fflush DF *UND* 01b4 GLIBC_2.0 malloc DF *UND* 0058 GLIBC_2.0 memmove DO *UND* 0004 GLIBC_2.0 stderr DF *UND* 020d GLIBC_2.0 abort DF *UND* 0027 GLIBC_2.0 memcpy w DF *UND* 00ac GLIBC_2.1.3 __cxa_finalize DF *UND* 0043 GLIBC_2.0 memset So it looks like I'm close... objcopy -R kept the GLIBC_* references in place, alas, so that didn't work, as suggested elsewhere in this thread. The above list is small, but has hree bad entries: fprintf, fflush and stderr. So that may present a problem for me if these functions are ever called. Warner Well, those functions do exist... except for stderr, although that is a varible (libc) The problem is that when you brandelf a .so file, it dosen't do anything, whatever uses it must be brandelf'd and compiled for linux... (well, in my experience with it it does nothing that i have noticed) If you can compile whatever needs to use it as linux then brandelf it, it should work ~Neo-Vortex ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]