wireguard-openbsd/libexec/security, branch master WireGuard implementation for the OpenBSD kernel https://git.zx2c4.com/wireguard-openbsd/atom/libexec/security?h=master 2020-10-11T18:28:17Z Don't skip file systems just because the parent fs is nodev and nosuid. 2020-10-11T18:28:17Z millert millert@openbsd.org 2020-10-11T18:28:17Z urn:sha1:14dbc6804011bf8bc03e02f7e0718c4149b8a1bf Fixes instances where a mount point uses the nodev and nosuid options but another file system mounted inside that hierarchy does not. OK schwarze@ afs, nnpfs, and procfs are no longer supported, 2020-09-17T06:51:06Z schwarze schwarze@openbsd.org 2020-09-17T06:51:06Z urn:sha1:352e64a166b7bb06ff5892484e1670bd431699d7 so stop looking for them in mount(8) output; no functional change intended; OK millert@ Do not bother scanning file systems that are both nodev and nosuid 2020-09-14T14:43:13Z schwarze schwarze@openbsd.org 2020-09-14T14:43:13Z urn:sha1:0a0d7ac4dfb968623be53fdf206413eca1ce8a24 for SUID, SGID, and device files, implementing an idea that deraadt@ came up with based on a somewhat similar idea from millert@ after a loosely related comment from Rupert Gallagher on misc@. While here, minimally simplify the way mount options are parsed, hoping to make the parsing more readable and also more robust. OK millert@ deraadt@ Remove user uucp and group news from base. 2016-12-27T09:17:52Z jca jca@openbsd.org 2016-12-27T09:17:52Z urn:sha1:28e4bf3df6c372846df146c14145c7ed0f21596e When checking ownership and modes of files in /var/mail/, 2016-10-22T18:35:12Z schwarze schwarze@openbsd.org 2016-10-22T18:35:12Z urn:sha1:8e6fa7367df578e60e99ec4141d489e5abe3f186 ignore *.lock files, to avoid pointless warning mails reported by Philippe Meunier <meunier at ccs dot neu dot edu>; OK florian@ jca@ When reading untrusted user files, don't risk blocking, such that 2015-07-21T19:07:13Z schwarze schwarze@openbsd.org 2015-07-21T19:07:13Z urn:sha1:91f416ab0fdc502754c926d4a0ad8b5e3d911eac users can't mount a DOS attack against security(8), and for additional safety against race attacks, make sure they are regular files after opening and before actually reading them. Issue originally hinted at by Sevan Janiyan <venture37 at geeklan dot com dot uk> based on a NetBSD commit message, then commented on by tedu@, problem finally confirmed by guenther@, who also provided feedback on the actual patch. When diff(1) finds differences, it returns an exit status of 1. 2015-04-21T10:24:22Z schwarze schwarze@openbsd.org 2015-04-21T10:24:22Z urn:sha1:f3fe92c90f987a8ad7d71dfb52646b676ea4db88 In that particular case, refrain from printing "diff: exit code 1" because that exit status doesn't indicate an error condition. Issue noticed by and patch OK'ed by ajacoutot@. "I agree with the goal, and I suspect the diff actually achieves it" guenther@. In mount(8) output, do not misparse lines where fs_spec ends with the 2015-03-27T13:26:19Z schwarze schwarze@openbsd.org 2015-03-27T13:26:19Z urn:sha1:46d53d6e458e6b1e5ed45c9e19fadb15dd00077f two characters "on", which can for example happen for NFS mounts. Patch from Lauri Tirkkonen <lotheac at iki dot fi> on bugs@. If /etc/passwd contains incomplete lines ending before the 2015-03-27T12:33:36Z schwarze schwarze@openbsd.org 2015-03-27T12:33:36Z urn:sha1:e4edfe2a77ec509a9c11d5d2077fc949c324b159 home directory field, warn explicitly rather than stumbling into Perl "uninitialized value" warnings. Issue reported by Denis Lapshin <deniza at mindall dot org>. OK afresh1@ AnonCVS is designed to work with a user account that has no password and a 2014-12-04T00:07:21Z schwarze schwarze@openbsd.org 2014-12-04T00:07:21Z urn:sha1:90622da5738d844632eb0b975f5b2ae35de580a0 very special shell, so do not complain about that particular combination. Idea originally brought up by landry@ five years ago, repeatedly forgotten. Using feedback from sthen@ millert@ halex@; OK landry@ ajacoutot@.