1 |
Sven Vermeulen posted on Tue, 22 Aug 2017 17:37:51 +0000 as excerpted: |
2 |
|
3 |
> On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote: |
4 |
>> The net-analyzer/nrpe package has a ./configure flag: |
5 |
>> |
6 |
>> --enable-command-args allows clients to specify command arguments. |
7 |
>> *** THIS IS A SECURITY RISK! *** |
8 |
>> Read the SECURITY file before |
9 |
>> using this option! |
10 |
>> |
11 |
>> Back in nrpe-2.x, it was available via USE=command-args, but I dropped |
12 |
>> it from nrpe-3.x, and a user just asked about it (bug 628596). There |
13 |
>> are at least two things we could do with a dangerous flag like that: |
14 |
>> |
15 |
>> 1) require EXTRA_ECONF to enable it. |
16 |
>> 2) hide it behind a masked USE flag. |
17 |
>> |
18 |
>> Both options require about the same amount of work from the user, |
19 |
>> namely editing something under /etc/portage. What do y'all think is the |
20 |
>> best way to proceed? Are there other examples in the tree I could |
21 |
>> follow? |
22 |
> |
23 |
> I like the masked USE flag approach. Using EXTRA_ECONF requires a bit |
24 |
> more work from the user (not much though) but is less visible afterwards |
25 |
> in my opinion. |
26 |
> |
27 |
> Perhaps a name that implies that there is a security risk could be |
28 |
> interesting, but that's a minor suggestion. |
29 |
|
30 |
IDR which package it was on, but I remember investigating a USE flag |
31 |
called GAPING_SECURITY_HOLE or some such, on some package at some point. |
32 |
Turned out it was pretty much just that, but someone needed the feature |
33 |
it controlled on their firewalled LAN, and this flag is what the |
34 |
maintainer came up with as a solution. |
35 |
|
36 |
> Is there a way we could somehow ensure that a USE flag is never set |
37 |
> globally, but only on a per-package basis? |
38 |
|
39 |
The only mechanism I'm aware of for that, a hack but arguably an |
40 |
effective one, is including the package name in the USE flag. |
41 |
|
42 |
Combining all three suggestions, masked USE flag including the name of |
43 |
the package and a warning such as GAPING_SECURITY_HOLE (the ALL CAPS |
44 |
helps distinguish it too, since most USE flags are lowercase) in the |
45 |
name, say as ... |
46 |
|
47 |
nrpe-command-args-SECURITY-HOLE |
48 |
or just |
49 |
nrpe-GAPING-SECURITY-HOLE |
50 |
|
51 |
... seems to me the most effective. Anyone that would even *think* to |
52 |
enable something like that without doing some *serious* investigation |
53 |
first, arguably shouldn't be using gentoo in the first place. |
54 |
|
55 |
-- |
56 |
Duncan - List replies preferred. No HTML msgs. |
57 |
"Every nonfree program has a lord, a master -- |
58 |
and if you use the program, he is your master." Richard Stallman |