From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 18:58:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 032C190C; Wed, 30 Apr 2014 18:58:42 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D6A7E172B; Wed, 30 Apr 2014 18:58:41 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id B3AE61B115; Wed, 30 Apr 2014 11:58:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1398884320; bh=/rWPKXVWJGiRS9irQOIViK+mssmLKJTs7Yyal3/E/lw=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=Gfpfm0OLXMsBODa9NJEiz2BXZiPqNRRmsKo4xFfrTae/JqdvDE5CjJbqE4Z6jlaXT 66JCxsNjkTMD2NFXgej0I+qOBOM7VLVSX6AM0Vp/Lk2BvTqi1zD3pLapXOj86Qm7wM cEVhlQSttQg5WHWbwZd1iWiroT+xr6n+AFsAa9uY= Message-ID: <536147DE.5030703@delphij.net> Date: Wed, 30 Apr 2014 11:58:38 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Corey Smith , freebsd-security@freebsd.org, matthew@freebsd.org, d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 18:58:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/30/14 11:51, Corey Smith wrote: >> It would be interesting to find out if we could teach net-snmpd >> to use alternative methods to access data it needs > > It is not necessary if you build net-mgmt/net-snmp with the > UNPRIVILEGED knob set. Will there be any lost functionality with that knob set? (I don't use net-snmp myself) If there is no lost functional, I think it's sensible to hard wire that option -- giving access to /dev/[k]mem makes me feel quite nervous, especially for network facing daemons... Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTYUfeAAoJEJW2GBstM+ns25oP/0zGN2rtZI16ilY/yE+vlbsm Is9j+DfbPKV99cffJHxTc6DCQjBTYpAEtr20LaWXBx3O4KpVuX+KZP5IMH0Rl1Et /2+o+MQHYhZ9j5osMofNZeqIesauSLmPhNzyyU0Q1F1yajonlHXD7oDNC88Hqyhj HRz+beEboz+B3tQEm+vNTIA88xQCuQOS32rjqGQ/RsmmY+vMS9x61OJAKA+bMtvq framYJvsZMdZQFzEpvb0VZvI/ZA5T7HtoXBdAJDsFtHn2E99iqcUgrpcDa1YtE5L 2VR+9SJgiKsLH09+L3DFB4hOqTir0X7EGdSZM5xiRCvVaReBcgESgHe9I4Un+xzC azbCzpSTAvM/u97DZdBnMHOCqeviHquwNgpgHy8H3u9Vz+I5nAQSNVFsp4SohgPk g6a4Bp4nvpx+H7V86+i+jjxvowtjV033oglAgNwjPRxpw25/vamA8dqbQT9zKW9Z fNx5DyEdIwq/aGHZSe4ybBTrZ3f6YZat7SUOfyA5zfICpte4sSf7+0puGLPha6VM RRWnnQtQojpmnBq3ycWk9pUFcyNN7RVDE9FFvD83vA2HCqV4iGkXeyr/Tk7fH81t Df4qzYIPXWF2Arm7nwvTFYmoj+GnStco8k+OqukNviPxO3lKQTVWAilvyY2/nfQK GOIXoW2YQLuViQur4pvP =ySJm -----END PGP SIGNATURE-----