From owner-freebsd-security Sun Dec 2 9:41:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by hub.freebsd.org (Postfix) with ESMTP id F0DC437B405 for ; Sun, 2 Dec 2001 09:41:36 -0800 (PST) Received: (qmail 21028 invoked from network); 2 Dec 2001 17:41:35 -0000 Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender ) by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 2 Dec 2001 17:41:35 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200112021259.fB2CxNh62460@sheol.localdomain> Date: Sun, 02 Dec 2001 09:41:35 -0800 (PST) From: John Baldwin To: (D J Hawkey Jr) Subject: Re: options USER_LDT Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 02-Dec-01 D J Hawkey Jr wrote: > In article , > jhb@FreeBSD.ORG writes: >> >> On 02-Dec-01 Bruce Evans wrote: >>> On Sat, 1 Dec 2001, John Baldwin wrote: >>> >>>> On 01-Dec-01 Dave wrote: >>>> > >>>> > I really have no clue what the kernel option: >>>> > options USER_LDT >>>> > >>>> > means, except this rugged definition I found in LINT (paraphrase): >>>> > "Allow applications running in user space to manipulate the Local >>>> > Descriptor Table (LDT)" >>>> > >>>> > Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that >>>> > someone, somewhere, thought it would be a good idea to have this >>>> > disabled >>>> > by default and maybe it was meant to be added in only by people who know >>>> > what they are doing. >>>> >>>> No, it's enabled by default, not disabled by default. >>> >>> Er, not in RELENG_4. It can only be enabled by default if it doesn't >>> exist, >>> as in -current :-). >> >> Ah, nm, I misread it thinking that the option was gone from 4.4 completely. >> To >> answer the original question then: it's not enabled by default most likely >> because when it was added as a new feature it was left as an option that was >> off by default so that any bugs it might have wouldn't bite people he didn't >> need it. > > Um, guys? I think your language is becoming too tortured. Does USER_LDT > still exist as a kernel option, and is it still doc'd in LINT? Does it > pose a security risk in the more current releases? And is it enabled now > by default, or simply depreciated, and no longer a possible "gotcha" in > running Wine or mplayer? In 4.4, it is still a kernel option not enabled by default. It poses no security risk in any release of FreeBSD. In 5.0 it is now on by default and no longer a kernel option because we decided it has now been tested long enough and we no longer need a fallback to disable it. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message