Add an (off by default) check for negative permissions (where the

group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week
author: brooks <brooks@FreeBSD.org> 2010-11-13 00:40:43 +0000
committer: brooks <brooks@FreeBSD.org> 2010-11-13 00:40:43 +0000
commit: 479b7f42883a475385c5a0203d82972be32f2bdb (patch)
tree: 1af23fa60f8e4b198022f866236556ba866c040d /share/man/man5/periodic.conf.5
parent: 7b0aabca30b272cae8800569e8681db7f9b58c0d (diff)
download: FreeBSD-src-479b7f42883a475385c5a0203d82972be32f2bdb.zip
FreeBSD-src-479b7f42883a475385c5a0203d82972be32f2bdb.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5
index a3775d8..3213615 100644
--- a/share/man/man5/periodic.conf.5
+++ b/share/man/man5/periodic.conf.5
@@ -482,6 +482,14 @@ Set to
 .Dq Li YES
 to compare the modes and modification times of setuid executables with
 the previous day's values.
+.It Va daily_status_security_neggrpperm_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check for files where the group of a file has less permissions than
+the world at large.
+When users are in more than 14 supplemental groups these negative
+permissions may not be enforced via NFS shares.
 .It Va daily_status_security_chkmounts_enable
 .Pq Vt bool
 Set to
author	brooks <brooks@FreeBSD.org>	2010-11-13 00:40:43 +0000
committer	brooks <brooks@FreeBSD.org>	2010-11-13 00:40:43 +0000
commit	479b7f42883a475385c5a0203d82972be32f2bdb (patch)
tree	1af23fa60f8e4b198022f866236556ba866c040d /share/man/man5/periodic.conf.5
parent	7b0aabca30b272cae8800569e8681db7f9b58c0d (diff)
download	FreeBSD-src-479b7f42883a475385c5a0203d82972be32f2bdb.zip FreeBSD-src-479b7f42883a475385c5a0203d82972be32f2bdb.tar.gz