Dear colleagues,
In the attached security-special-files-1.diff I have documented
the changes from 2020 to the security(8) special file checks.
The 2020 changes are those based on ideas from Rupert Gallagher and
Todd Miller on misc@.
I don't like how complicated I made the documentation, so
I also propose an alternative: Change security(8) to allow
shorter documentation. This is in security-special-files-2.diff.
Here is an example of the difference. Consider running security(8)
with SUIDSKIP=/v in the environment and with the following lines
printed by mount(8).
/dev/sd5f on /v type ffs (local, noatime)
/dev/sd5g on /v/1 type ffs (local, noatime)
With the current approach (security-skip-suid-1.diff), the tree
under /v/1 is checked and everything else under /v is skipped.
With the alternative (security-skip-suid-2.diff), everything
under /v is skipped.
I find it easier to explain and understand the approach
in security-skip-suid-2.diff. If that approach is unwelcome,
I propose security-skip-suid-1.diff to document the current approach,
With great honour,
Ibsen S Ripsbusker
Index: share/man/man8/security.8
===================================================================
RCS file: /cvs/src/share/man/man8/security.8,v
retrieving revision 1.26
diff -u -p -r1.26 security.8
--- share/man/man8/security.8 13 Jul 2017 19:16:33 -0000 1.26
+++ share/man/man8/security.8 15 Oct 2023 17:34:28 -0000
@@ -58,6 +58,14 @@ Check NFS
file for global export entries.
.It
Check for changes in setuid/setgid files and devices.
+Skip this check for a particular file if
+the file's filesystem is non-local;
+the file's filesystem is mounted with both
+.Dq nodev
+and
+.Dq nosuid ;
+or
+.Ev SUIDSKIP references the file or an ancestor on the same filesystem.
.It
Check disk ownership and permissions.
.It
@@ -130,6 +138,7 @@ Avoid trailing slashes.
.Sh SEE ALSO
.Xr changelist 5 ,
.Xr daily 8 ,
+.Xr mount 8
.Xr mtree 8
.Sh HISTORY
A
Index: libexec/security/security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.41
diff -u -p -r1.41 security
--- libexec/security/security 11 Oct 2020 18:28:17 -0000 1.41
+++ libexec/security/security 15 Oct 2023 17:32:58 -0000
@@ -26,6 +26,7 @@ use Fcntl qw(O_RDONLY O_NONBLOCK :mode);
use File::Basename qw(basename);
use File::Compare qw(compare);
use File::Copy qw(copy);
+use List::Util qw(any);
require File::Find;
use constant {
@@ -542,6 +543,7 @@ sub find_special_files {
while (<$fh>) {
my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/;
push @fs, $path if $path && $opt =~ /local/ &&
+ !(any {substr($path, 0, (length $_) + 1) eq ($_ . "/")}
(keys %skip)) &&
!($opt =~ /nodev/ && $opt =~ /nosuid/);
}
close_or_nag $fh, "mount" or return;
Index: share/man/man8/security.8
===================================================================
RCS file: /cvs/src/share/man/man8/security.8,v
retrieving revision 1.26
diff -u -p -r1.26 security.8
--- share/man/man8/security.8 13 Jul 2017 19:16:33 -0000 1.26
+++ share/man/man8/security.8 15 Oct 2023 17:33:00 -0000
@@ -58,6 +58,12 @@ Check NFS
file for global export entries.
.It
Check for changes in setuid/setgid files and devices.
+Skip this check for non-local filesystems, for filesystems mounted as both
+.Dq nodev
+and
+.Dq nosuid ,
+and for paths set in
+.Ev SUIDSKIP .
.It
Check disk ownership and permissions.
.It
@@ -130,6 +136,7 @@ Avoid trailing slashes.
.Sh SEE ALSO
.Xr changelist 5 ,
.Xr daily 8 ,
+.Xr mount 8
.Xr mtree 8
.Sh HISTORY
A
