drop support for afs, nnpfs, and procfs from security(8)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

drop support for afs, nnpfs, and procfs from security(8)

Ingo Schwarze
Hi,

by chance, i noticed that security(8) is careful to avoid scanning
filesystems of the types "afs", "nnpfs", and "procfs".  According
to "ls /sbin/mount*", no such file systems are supported, and the
only page "man -ak any=afs any=nnpfs any=procfs" brings up seems
to be sshd_config(5) talking about KerberosGetAFSToken, which seems
tangentially related at best.  Even pkg_locate(1) comes up empty-handed
with respect to mount_afs, mount_nnpfs, and mount_procfs.

Does anyone think that explicitely excluding these file system
types might still be useful, or is the following simplification
OK?  No functional change intended.

Yours,
  Ingo


Index: security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.39
diff -U4 -p -r1.39 security
--- security 14 Sep 2020 14:43:13 -0000 1.39
+++ security 14 Sep 2020 15:11:07 -0000
@@ -539,11 +539,11 @@ sub find_special_files {
  nag !(open my $fh, '-|', 'mount'),
     "cannot spawn mount: $!"
     and return;
  while (<$fh>) {
- my ($path, $type, $opt) = /\son\s+(.*?)\s+type\s+(\w+)(.*)/;
+ my ($path, $opt) = /\son\s+(.*?)\s+type\s+\w+(.*)/;
  $skip{$path} = 1 if $path &&
-    ($type =~ /^(?:a|nnp|proc)fs$/ || $opt !~ /local/ ||
+    ($opt !~ /local/ ||
      ($opt =~ /nodev/ && $opt =~ /nosuid/));
  }
  close_or_nag $fh, "mount" or return;

Reply | Threaded
Open this post in threaded view
|

Re: drop support for afs, nnpfs, and procfs from security(8)

Todd C. Miller-3
On Wed, 16 Sep 2020 18:17:36 +0200, Ingo Schwarze wrote:

> Does anyone think that explicitely excluding these file system
> types might still be useful, or is the following simplification
> OK?  No functional change intended.

I think those bits can go.  OK millert@

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: drop support for afs, nnpfs, and procfs from security(8)

Ingo Schwarze
Hi Todd,

Todd C. Miller wrote on Wed, Sep 16, 2020 at 01:36:09PM -0600:
> On Wed, 16 Sep 2020 18:17:36 +0200, Ingo Schwarze wrote:

>> Does anyone think that explicitely excluding these file system
>> types might still be useful, or is the following simplification
>> OK?  No functional change intended.

> I think those bits can go.  OK millert@

Committed, thanks for checking.
  Ingo