Dear colleagues, In the attached security-special-files-1.diff I have documented the changes from 2020 to the security(8) special file checks. The 2020 changes are those based on ideas from Rupert Gallagher and Todd Miller on misc@.
I don't like how complicated I made the documentation, so I also propose an alternative: Change security(8) to allow shorter documentation. This is in security-special-files-2.diff. Here is an example of the difference. Consider running security(8) with SUIDSKIP=/v in the environment and with the following lines printed by mount(8). /dev/sd5f on /v type ffs (local, noatime) /dev/sd5g on /v/1 type ffs (local, noatime) With the current approach (security-skip-suid-1.diff), the tree under /v/1 is checked and everything else under /v is skipped. With the alternative (security-skip-suid-2.diff), everything under /v is skipped. I find it easier to explain and understand the approach in security-skip-suid-2.diff. If that approach is unwelcome, I propose security-skip-suid-1.diff to document the current approach, With great honour, Ibsen S Ripsbusker
Index: share/man/man8/security.8 =================================================================== RCS file: /cvs/src/share/man/man8/security.8,v retrieving revision 1.26 diff -u -p -r1.26 security.8 --- share/man/man8/security.8 13 Jul 2017 19:16:33 -0000 1.26 +++ share/man/man8/security.8 15 Oct 2023 17:34:28 -0000 @@ -58,6 +58,14 @@ Check NFS file for global export entries. .It Check for changes in setuid/setgid files and devices. +Skip this check for a particular file if +the file's filesystem is non-local; +the file's filesystem is mounted with both +.Dq nodev +and +.Dq nosuid ; +or +.Ev SUIDSKIP references the file or an ancestor on the same filesystem. .It Check disk ownership and permissions. .It @@ -130,6 +138,7 @@ Avoid trailing slashes. .Sh SEE ALSO .Xr changelist 5 , .Xr daily 8 , +.Xr mount 8 .Xr mtree 8 .Sh HISTORY A
Index: libexec/security/security =================================================================== RCS file: /cvs/src/libexec/security/security,v retrieving revision 1.41 diff -u -p -r1.41 security --- libexec/security/security 11 Oct 2020 18:28:17 -0000 1.41 +++ libexec/security/security 15 Oct 2023 17:32:58 -0000 @@ -26,6 +26,7 @@ use Fcntl qw(O_RDONLY O_NONBLOCK :mode); use File::Basename qw(basename); use File::Compare qw(compare); use File::Copy qw(copy); +use List::Util qw(any); require File::Find; use constant { @@ -542,6 +543,7 @@ sub find_special_files { while (<$fh>) { my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/; push @fs, $path if $path && $opt =~ /local/ && + !(any {substr($path, 0, (length $_) + 1) eq ($_ . "/")} (keys %skip)) && !($opt =~ /nodev/ && $opt =~ /nosuid/); } close_or_nag $fh, "mount" or return; Index: share/man/man8/security.8 =================================================================== RCS file: /cvs/src/share/man/man8/security.8,v retrieving revision 1.26 diff -u -p -r1.26 security.8 --- share/man/man8/security.8 13 Jul 2017 19:16:33 -0000 1.26 +++ share/man/man8/security.8 15 Oct 2023 17:33:00 -0000 @@ -58,6 +58,12 @@ Check NFS file for global export entries. .It Check for changes in setuid/setgid files and devices. +Skip this check for non-local filesystems, for filesystems mounted as both +.Dq nodev +and +.Dq nosuid , +and for paths set in +.Ev SUIDSKIP . .It Check disk ownership and permissions. .It @@ -130,6 +136,7 @@ Avoid trailing slashes. .Sh SEE ALSO .Xr changelist 5 , .Xr daily 8 , +.Xr mount 8 .Xr mtree 8 .Sh HISTORY A