wxallowed flag

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

wxallowed flag

Leonid Bobrov
Hi!

Is this a really good idea to keep wxallowed flag on /usr/local by
default? Is this so scary that many poop software will break (this is
not a big loss at all)? After all not enabling this flag by default is
the right thing to do, reliance on W|X should go to /dev/null

The only problem I see after removing this flag and removing python
is that it also removes packages which, for example, have
devel/desktop-file-utils in run dependencies, but they work without it.

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Marc Espie-2
On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:

> Hi!
>
> Is this a really good idea to keep wxallowed flag on /usr/local by
> default? Is this so scary that many poop software will break (this is
> not a big loss at all)? After all not enabling this flag by default is
> the right thing to do, reliance on W|X should go to /dev/null
>
> The only problem I see after removing this flag and removing python
> is that it also removes packages which, for example, have
> devel/desktop-file-utils in run dependencies, but they work without it.

I don't see your patches for fixing the rather important shit that still
requires wxallowed.

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Leonid Bobrov
On Fri, Jan 26, 2018 at 12:28:00PM +0100, Marc Espie wrote:

> On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
> > Hi!
> >
> > Is this a really good idea to keep wxallowed flag on /usr/local by
> > default? Is this so scary that many poop software will break (this is
> > not a big loss at all)? After all not enabling this flag by default is
> > the right thing to do, reliance on W|X should go to /dev/null
> >
> > The only problem I see after removing this flag and removing python
> > is that it also removes packages which, for example, have
> > devel/desktop-file-utils in run dependencies, but they work without it.
>
> I don't see your patches for fixing the rather important shit that still
> requires wxallowed.
>

So you mean broken packages are more important than system's default
security? Was that true when ProPolice was enabled by default?

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Solene Rapenne
Le 2018-01-26 12:52, mazocomp a écrit :

> On Fri, Jan 26, 2018 at 12:28:00PM +0100, Marc Espie wrote:
>> On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
>> > Hi!
>> >
>> > Is this a really good idea to keep wxallowed flag on /usr/local by
>> > default? Is this so scary that many poop software will break (this is
>> > not a big loss at all)? After all not enabling this flag by default is
>> > the right thing to do, reliance on W|X should go to /dev/null
>> >
>> > The only problem I see after removing this flag and removing python
>> > is that it also removes packages which, for example, have
>> > devel/desktop-file-utils in run dependencies, but they work without it.
>>
>> I don't see your patches for fixing the rather important shit that
>> still
>> requires wxallowed.
>>
>
> So you mean broken packages are more important than system's default
> security? Was that true when ProPolice was enabled by default?

That doesn't change base system security if you don't install packages.

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Marc Espie-2
In reply to this post by Leonid Bobrov
On Fri, Jan 26, 2018 at 01:52:10PM +0200, mazocomp wrote:

> On Fri, Jan 26, 2018 at 12:28:00PM +0100, Marc Espie wrote:
> > On Fri, Jan 26, 2018 at 12:56:15PM +0200, mazocomp wrote:
> > > Hi!
> > >
> > > Is this a really good idea to keep wxallowed flag on /usr/local by
> > > default? Is this so scary that many poop software will break (this is
> > > not a big loss at all)? After all not enabling this flag by default is
> > > the right thing to do, reliance on W|X should go to /dev/null
> > >
> > > The only problem I see after removing this flag and removing python
> > > is that it also removes packages which, for example, have
> > > devel/desktop-file-utils in run dependencies, but they work without it.
> >
> > I don't see your patches for fixing the rather important shit that still
> > requires wxallowed.
> >
>
> So you mean broken packages are more important than system's default
> security? Was that true when ProPolice was enabled by default?

Obviously, you don't understand the difference between fixing factually
broken software and enforcing supplementary restrictive semantics on
top of the traditional posix api   that actually requires actual changes
to adapt.

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Leonid Bobrov
In reply to this post by Leonid Bobrov
Well, I've just checked python's port and created a package
without USE_WXNEEDED and it works pretty well. How about I'll
send a patch to ports@ which will create "wx" or "no_wx" flavor?

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Theo de Raadt-2
In reply to this post by Leonid Bobrov
I think you have interpreted the situation backwards.

The wxallowed flag is not on other filesystems.  Therefore, binaries
on those filesystems which misbehave will fail.

There are about 15 programs which need fixing, and the wxallowed could
become a piece of history.

Unfortunately some of those 15 are very large ecosystems, and their
upstreams are not yet concerned about this problem.

>Is this a really good idea to keep wxallowed flag on /usr/local by
>default? Is this so scary that many poop software will break (this is
>not a big loss at all)? After all not enabling this flag by default is
>the right thing to do, reliance on W|X should go to /dev/null
>
>The only problem I see after removing this flag and removing python
>is that it also removes packages which, for example, have
>devel/desktop-file-utils in run dependencies, but they work without it.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Leonid Bobrov
On Fri, Jan 26, 2018 at 08:12:11PM -0700, Theo de Raadt wrote:

> I think you have interpreted the situation backwards.
>
> The wxallowed flag is not on other filesystems.  Therefore, binaries
> on those filesystems which misbehave will fail.
>
> There are about 15 programs which need fixing, and the wxallowed could
> become a piece of history.
>
> Unfortunately some of those 15 are very large ecosystems, and their
> upstreams are not yet concerned about this problem.
>
> >Is this a really good idea to keep wxallowed flag on /usr/local by
> >default? Is this so scary that many poop software will break (this is
> >not a big loss at all)? After all not enabling this flag by default is
> >the right thing to do, reliance on W|X should go to /dev/null
> >
> >The only problem I see after removing this flag and removing python
> >is that it also removes packages which, for example, have
> >devel/desktop-file-utils in run dependencies, but they work without it.
> >
> >
Hm, grepping Makefiles finds 51 files which contain USE_WXNEEDED.

As I understand many of these ports are clean (for example, python),
but this variable is used for their broken extensions.

So, I have to identify which ones are exactly broken (Stuart Henderson
said this is the trickier part), contact their developers (if the
software is not abandoned) and send patches, right?

wxports (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: wxallowed flag

Theo de Raadt-2
In reply to this post by Leonid Bobrov
> So, I have to identify which ones are exactly broken (Stuart Henderson
> said this is the trickier part), contact their developers (if the
> software is not abandoned) and send patches, right?

Your approach of making the world better will be "getting in their face"?

You have some sort of list. You could start by fixing one of them.
Then you would have credentials.