Date: Wed, 10 Nov 2004 13:52:59 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Xin LI <delphij@frontfree.net> Cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? Message-ID: <20041110195259.GB74491@madman.celabo.org> In-Reply-To: <20041110183046.GA3518@frontfree.net> References: <20041110173511.GA2940@frontfree.net> <4192539C.6040403@elischer.org> <20041110183046.GA3518@frontfree.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 11, 2004 at 02:30:46AM +0800, Xin LI wrote:
> I have an idea that is somewhat too complex to be included in FreeBSD - we
> maintain a ``master'' patchlevel, and two patchlevels indicating the least
> ``master'' patchlevel that touches kernel or userland. It might be something
> like this:
>
> Master | Userland | Kernel
> ========================+=======================+=======================
> 4.10-RELEASE | 4.10-RELEASE | 4.10-RELEASE
> 4.10-RELEASE-p1 | 4.10-RELEASE | 4.10-RELEASE-p1
> 4.10-RELEASE-p2 | 4.10-RELEASE | 4.10-RELEASE-p2
> 4.10-RELEASE-p3 | 4.10-RELEASE-p3 | 4.10-RELEASE-p2
>
> And propograte it somewhere. This is somewhat complex as the security officer
> must bump two version when he is doing a security update and I'm not sure whether
> this is beneficial enough so I hesitate to proposal a patch of this,
Actually, some time ago I thought of doing something quite similar. At
first, I wanted to alter uname(3) to return not the kernel version, but
a userland version string. Borrowing from the way Solaris does it, I
thought we'd just stick the version in /etc/release. That way
"patching" /etc/release would be sufficient for userland issues. But of
course that doesn't help us with kernel issues, and the fact that kernel
and userland can accidently get out of sync.
So I thought perhaps we'd have a patch level for userland, and a patch
level for the kernel. Some patches would touch only the userland patch
level, and some the kernel patch level. There would also be recorded in
userland what the latest kernel patch level should be. Then uname(3)
would display the patch level according to whether the latest kernel is
loaded. (I know, this is a hard to follow description.)
Something like so:
userland_pl Patch level of currently installed userland.
expected_kernel_pl Patch level of currently installed kernel.
kernel_pl Patch level of currently running kernel.
Then, uname(3) will choose what patch level to display like so:
if (kernel_pl < expected_kernel_pl || kernel_pl > userland_pl)
return kernel_pl;
else
return userland_pl;
(Actually, we would probably make patch level bumps such that the
"kernel_pl > userland_pl" case never happens.)
In the end, what we want is for a user to type `uname -r' and to see
what patch level is running. Anything more complicated (checking RCS
Ids and such) just gets in the way, I think.
Cheers,
--
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041110195259.GB74491>