From b6dee0b899532b2a77218ba135c2bbca7f74cae7 Mon Sep 17 00:00:00 2001 From: Kenneth R Westerback Date: Wed, 25 Sep 2002 12:19:13 +0000 Subject: Try to minimize places where suid programs and devices can live by implementing the rules: Only '/' is neither nodev nor nosuid. i.e. it can obviously *always* contain devices or setuid programs. Every other mounted filesystem is nodev. If the user chooses to mount /dev as a separate filesystem, then on the user's head be it. The only directories that install puts suid binaries into (as of 3.2) are: /sbin /usr/bin /usr/sbin /usr/libexec /usr/libexec/auth /usr/X11R6/bin and ports and users can do who knows what to /usr/local and sub directories thereof. So try to ensure that only filesystems that are mounted at or above these directories can contain suid programs. In the case of /usr/libexec, give blanket permission for subdirectories. Note that if *all* the above are split into separate filesystems the install process will attempt a couple of cross-device links when installing base32.tgz, and fail. ok deraadt@. --- distrib/miniroot/install.sh | 52 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/distrib/miniroot/install.sh b/distrib/miniroot/install.sh index 9d3f1ed452d..2eb32c69306 100644 --- a/distrib/miniroot/install.sh +++ b/distrib/miniroot/install.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: install.sh,v 1.116 2002/09/24 01:26:15 krw Exp $ +# $OpenBSD: install.sh,v 1.117 2002/09/25 12:19:12 krw Exp $ # $NetBSD: install.sh,v 1.5.2.8 1996/08/27 18:15:05 gwr Exp $ # # Copyright (c) 1997-2002 Todd Miller, Theo de Raadt, Ken Westerback @@ -266,12 +266,50 @@ __EOT for _pp in ${_partitions[*]}; do if [ "$_mp" = "${_mount_points[$_i]}" ]; then echo -n "/dev/$_pp $_mp ffs rw" - case $_mp in - "/") echo " 1 1" ;; - "/tmp"|"/var"|"/var/tmp"|"/usr/obj"|"/home") echo ",nosuid,nodev 1 2" ;; - "/usr") echo ",nodev 1 2" ;; - *) echo " 1 2" ;; - esac + # Only '/' is neither nodev nor nosuid. i.e. + # it can obviously *always* contain devices or + # setuid programs. + # + # Every other mounted filesystem is nodev. If + # the user chooses to mount /dev as a separate + # filesystem, then on the user's head be it. + # + # The only directories that install puts suid + # binaries into (as of 3.2) are: + # + # /sbin + # /usr/bin + # /usr/sbin + # /usr/libexec + # /usr/libexec/auth + # /usr/X11R6/bin + # + # and ports and users can do who knows what + # to /usr/local and sub directories thereof. + # + # So try to ensure that only filesystems that + # are mounted at or above these directories + # can contain suid programs. In the case of + # /usr/libexec, give blanket permission for + # subdirectories. + if [[ $_mp == / ]]; then + # / can hold devices and suid programs. + echo " 1 1" + else + # No devices anywhere but /. + echo -n ",nodev" + case $_mp in + # A few directories are allowed suid. + /sbin|/usr) ;; + /usr/bin|/usr/sbin) ;; + /usr/libexec|/usr/libexec/*) ;; + /usr/local|/usr/local/*) ;; + /usr/X11R6|/usr/X11R6/bin) ;; + # But all others are not. + *) echo -n ",nosuid" ;; + esac + echo " 1 2" + fi fi : $(( _i += 1 )) done -- cgit v1.2.3