diff options
| author | Kenneth R Westerback <krw@cvs.openbsd.org> | 2002-09-25 12:19:13 +0000 |
|---|---|---|
| committer | Kenneth R Westerback <krw@cvs.openbsd.org> | 2002-09-25 12:19:13 +0000 |
| commit | b6dee0b899532b2a77218ba135c2bbca7f74cae7 (patch) | |
| tree | df76f198ee4e0270abf0639d67a5001ffe6022d0 | |
| parent | 66d72c3ed842f0393a6ea815a0a674bb1a7e11c0 (diff) | |
Try to minimize places where suid programs and devices can live
by implementing the rules:
Only '/' is neither nodev nor nosuid. i.e. it can obviously *always*
contain devices or setuid programs.
Every other mounted filesystem is nodev. If the user chooses to mount
/dev as a separate filesystem, then on the user's head be it.
The only directories that install puts suid binaries into (as of 3.2)
are:
/sbin
/usr/bin
/usr/sbin
/usr/libexec
/usr/libexec/auth
/usr/X11R6/bin
and ports and users can do who knows what to /usr/local and sub
directories thereof.
So try to ensure that only filesystems that are mounted at or above
these directories can contain suid programs. In the case of
/usr/libexec, give blanket permission for subdirectories.
Note that if *all* the above are split into separate filesystems the
install process will attempt a couple of cross-device links when
installing base32.tgz, and fail.
ok deraadt@.
| -rw-r--r-- | distrib/miniroot/install.sh | 52 |
1 files changed, 45 insertions, 7 deletions
diff --git a/distrib/miniroot/install.sh b/distrib/miniroot/install.sh index 9d3f1ed452d..2eb32c69306 100644 --- a/distrib/miniroot/install.sh +++ b/distrib/miniroot/install.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: install.sh,v 1.116 2002/09/24 01:26:15 krw Exp $ +# $OpenBSD: install.sh,v 1.117 2002/09/25 12:19:12 krw Exp $ # $NetBSD: install.sh,v 1.5.2.8 1996/08/27 18:15:05 gwr Exp $ # # Copyright (c) 1997-2002 Todd Miller, Theo de Raadt, Ken Westerback @@ -266,12 +266,50 @@ __EOT for _pp in ${_partitions[*]}; do if [ "$_mp" = "${_mount_points[$_i]}" ]; then echo -n "/dev/$_pp $_mp ffs rw" - case $_mp in - "/") echo " 1 1" ;; - "/tmp"|"/var"|"/var/tmp"|"/usr/obj"|"/home") echo ",nosuid,nodev 1 2" ;; - "/usr") echo ",nodev 1 2" ;; - *) echo " 1 2" ;; - esac + # Only '/' is neither nodev nor nosuid. i.e. + # it can obviously *always* contain devices or + # setuid programs. + # + # Every other mounted filesystem is nodev. If + # the user chooses to mount /dev as a separate + # filesystem, then on the user's head be it. + # + # The only directories that install puts suid + # binaries into (as of 3.2) are: + # + # /sbin + # /usr/bin + # /usr/sbin + # /usr/libexec + # /usr/libexec/auth + # /usr/X11R6/bin + # + # and ports and users can do who knows what + # to /usr/local and sub directories thereof. + # + # So try to ensure that only filesystems that + # are mounted at or above these directories + # can contain suid programs. In the case of + # /usr/libexec, give blanket permission for + # subdirectories. + if [[ $_mp == / ]]; then + # / can hold devices and suid programs. + echo " 1 1" + else + # No devices anywhere but /. + echo -n ",nodev" + case $_mp in + # A few directories are allowed suid. + /sbin|/usr) ;; + /usr/bin|/usr/sbin) ;; + /usr/libexec|/usr/libexec/*) ;; + /usr/local|/usr/local/*) ;; + /usr/X11R6|/usr/X11R6/bin) ;; + # But all others are not. + *) echo -n ",nosuid" ;; + esac + echo " 1 2" + fi fi : $(( _i += 1 )) done |