[HEADSUP] Disallowing read() of a directory fd
Kyle Evans
kevans at freebsd.org
Fri May 15 13:14:52 UTC 2020
On Fri, May 15, 2020 at 2:51 AM Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>
> --------
> In message <CACNAnaFDHMkConkBLY-2BMAudueDA8-HTJ5_FNpt4WrB=gg_HA at mail.gmail.com>
> , Kyle Evans writes:
> >On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>
> >Can we explore the possibility of using fsdb(8) to fulfill these needs
> >in a way that you'd be comfortable with?
>>
> Summary: I'm perfectly fine with read(2) returning error on a
> directory *under normal circumstances*, and I think it makes good
> sense by protecting a lot of terminals from a lot of binary
> garbage.
>
> But there is absolutely no reason to make it *impossible* for
> a competent root to do what competent roots do.
>
First, apologies if my previous message had offended you -- I didn't
mean for this, but as you can tell I was not well-equipped to discuss
the possibilities with a seasoned veteran such as yourself.
I've prepared a patch locally to update the review that both hides it
off behind security.bsd.allow_read_dir (default off) and restricts it
to a new PRIV_VFS_READ_DIR that *is not* granted to jailed root. I
know we've already discussed this to some extent, but can you confirm
that these restrictions are reasonable and acceptable for you? I've
tentatively placed it in the security.bsd.* namespace because it can
and has had security implications, but I'm certainly not dead-set on
it staying there.
Thanks,
Kyle Evans
More information about the freebsd-arch
mailing list