From owner-freebsd-security  Thu Mar 11 16:31:36 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
	by hub.freebsd.org (Postfix) with ESMTP id 66E08150D2
	for <freebsd-security@FreeBSD.ORG>; Thu, 11 Mar 1999 16:31:13 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id TAA06774;
	Thu, 11 Mar 1999 19:30:30 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Date: Thu, 11 Mar 1999 19:30:29 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Mark Newton <newton@camtech.com.au>
Cc: Archie Cobbs <archie@whistle.com>, ark@eltex.ru,
	freebsd-security@FreeBSD.ORG
Subject: Re: FreeBSD SKIP port updated
In-Reply-To: <199903120019.KAA05025@frenzy.ct>
Message-ID: <Pine.BSF.3.96.990311192831.6494F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 12 Mar 1999, Mark Newton wrote:

> Archie Cobbs wrote:
> 
>  > Mark Newton writes:
>  > >  > > I am curious if someone tried to update it to compile in-kernel.
>  > >  > > I don't use LKMs, i have them disabled for security reasons (no flames
>  > >  > > please)
>  > >  > 
>  > >  > Well, there's no reason you couldn't load it at boot time.
>  > >  > Ie, add it to boot.conf (or loader.conf of whatever it's called).
>  > > 
>  > > If you have KLDs disabled that shouldn't work (and it represents a 
>  > > pretty major security issue if it does!)
>  > 
>  > I thought the disabling of KLD's only blocked the kldload() process.
>  > Guess not.
> 
> From a brief look at the source, you might be right.
> 
> This is bad.  I'd think disabling KLDs should totally disable the
> in-kernel linker.  Otherwise someone could get new modules into your
> kernel by adding 'em to loader.rc and forcing a reboot.

Arguably, in a securelevel environment, the {/boot,/modules} directories
should be entirely noschg.  Otherwise the user could specify alternative
kernels, use alternative bootstrap code, etc.  Any of these yields kernel
privileges.

I would argue that disabling kldload in securelevels is a good idea;
removing the ability to have a dynamically linked kernel from /modules et
al is a bad idea; instead, appropriate file protection should be used.

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message