From nobody Thu Nov 9 07:54:22 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQvPX6hhxz50Y0D for ; Thu, 9 Nov 2023 07:54:56 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQvPW4BVmz3KGZ for ; Thu, 9 Nov 2023 07:54:55 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=hoPDP96a; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 2a00:1828:2000:313::1:5 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net; dmarc=pass (policy=quarantine) header.from=leidinger.net List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1699516478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=V/gXYHjoLj2cFMy58jMFH4dhAs1lYNkn33XGgckpwHI=; b=hoPDP96aeGvxs0+xfi43l7YcAJVAs6X6/Tj2SSG8EXjFuZ+MFxrBulvpjtAH7t0YCCJPJe ussAvn3OlfFTuQgrqeXAoOAuPcvk3pkc4RP8fd2hfXkn+BOl44jNyBjMVJWCpby7fXk+yn opCu3QpIzXVjTNbyzsni+5JDIkka7Xus1Qj77XcqARHtM+z21L1fOJqAzyz87AoUatJyNj 3xIgi+MhP7YfCFvj9NquJgOO81/zai3E1nb0OpOuJ2BCM9K2u72KkikZ2wBNe8mGvZkKiN WNOBs08XrUps6HJr3GCRgXGx3dhwy/pFV3/ZJv+FCoJGspCVsQxqJngCZCNEKQ== Date: Thu, 09 Nov 2023 08:54:22 +0100 From: Alexander Leidinger To: freebsd-arch@freebsd.org Subject: Any particular reason we don't have sshd oomprotected by default? Message-ID: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_c0696647e76353b3b51420dd4c3878ba"; micalg=pgp-sha256 X-Spamd-Result: default: False [-5.09 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; HAS_ORG_HEADER(0.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; HAS_ATTACHMENT(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4SQvPW4BVmz3KGZ X-Spamd-Bar: ----- This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_c0696647e76353b3b51420dd4c3878ba Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is there a particular reason we don't have sshd protected the same way? Any objections if I would commit such a change (sshd_oomprotect=YES in defaults/rc.conf)? I was also thinking about which other daemon we should protect by default, but apart from the need to make sure important logs are written to find issues which may have caused the oom trigger, and the need to be able to login to such a troubled system, I didn't see any other service as such critical (we could argue about ntpd, but I send to be on the "may be protected" (not for my use cases) and not to be on the "has to be protected" side) to include it in this proposal. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_c0696647e76353b3b51420dd4c3878ba Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVMkDsACgkQEg2wmwP4 2IbMmw/+KfSo+UBe1QKGjgx1z/Ba/JLs7NzYi12nlVqFFWuLsIn0Tv/sMWvzoIQ/ 5NNFpGmlz58tg0hHTPzBlqwnd7ScQZDHJRqhIfDathIGlFhuJjuHD7HCCwXsbJu5 e90sS3pHMf2IlY0xp47A9BFYwjNNCIkpHaIDjsrO2ravMu7ZSK14nhF+9hNuBeNQ npXohY5Ky7E+s7AhYo2zr8Z8UtyjcvFxaCe84AzyxxW/wKtQNCl0qNOpzNL/OvBg 20l4/VQe3y7ii1chhphbzopPzzlSf9n5KT7RRbR2rSC15Tenws1fW28at+vKmsvH kKbvy5kFlhJi5n194Pk3hOS/QeEeH2i6j0CViYwNbEwUHijvcbnSF8mQn8vcrld/ LXzhNU0/HmjRfZmsEvQ6W6jaP2h7p1M2re8vNGMa3GE8cOJANwcUs+jPQCdUnK6p lvLALw/k2E68OG1aL3gzktbxQhXZRFMVQrEgiGQNaNDT+nxA6SJa/M+HNtqSc99z 6afXonid5tTfJ5ejqXYBt6GpncbR3303tAcTFZM3GwAZ8CqAj6xHwBN38+519xMj 2uAZXIUdDEZETIrfjUHsMz7x/EuOJczVg+sIRP0AxvwtHqUmK0jO1OHw7AIKbRl0 +S6HyAHyP/qQjN1X2DGdjanWVyfOCZl7Yl6lrKhywGryq/VH/LM= =Rvod -----END PGP SIGNATURE----- --=_c0696647e76353b3b51420dd4c3878ba--