From owner-freebsd-security@FreeBSD.ORG Thu Sep 6 17:19:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A5A7106564A; Thu, 6 Sep 2012 17:19:25 +0000 (UTC) (envelope-from freebsd@damnhippie.dyndns.org) Received: from duck.symmetricom.us (duck.symmetricom.us [206.168.13.214]) by mx1.freebsd.org (Postfix) with ESMTP id 369438FC08; Thu, 6 Sep 2012 17:19:25 +0000 (UTC) Received: from damnhippie.dyndns.org (daffy.symmetricom.us [206.168.13.218]) by duck.symmetricom.us (8.14.5/8.14.5) with ESMTP id q86HJORa002981; Thu, 6 Sep 2012 11:19:24 -0600 (MDT) (envelope-from freebsd@damnhippie.dyndns.org) Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id q86HJL55043932; Thu, 6 Sep 2012 11:19:21 -0600 (MDT) (envelope-from freebsd@damnhippie.dyndns.org) From: Ian Lepore To: obrien@freebsd.org In-Reply-To: <20120906164514.GA14757@dragon.NUXI.org> References: <201208222337.q7MNbORo017642@svn.freebsd.org> <5043E449.8050005@FreeBSD.org> <20120904220126.GA85339@dragon.NUXI.org> <50468326.8070009@FreeBSD.org> <20120906164514.GA14757@dragon.NUXI.org> Content-Type: text/plain; charset="us-ascii" Date: Thu, 06 Sep 2012 11:19:21 -0600 Message-ID: <1346951961.59094.158.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 06 Sep 2012 18:15:17 +0000 Cc: Arthur Mesh , freebsd-security@freebsd.org, Doug Barton , freebsd-rc@freebsd.org Subject: Re: svn commit: r239598 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 17:19:25 -0000 On Thu, 2012-09-06 at 09:45 -0700, David O'Brien wrote: > > > I'll have to give the kenv output a look. I would > > also like to confirm that it's available on all platforms. > > Geez, I'm not that stupid. Do you see any guards within bin/Makefile > that only build it for for some architectures? I verified we have it > on > MIPS, ARM, and PowerPC and gives some output. It does not give as > much > system-specific output as on x86 -- I wish it did, but the output can > be > rather unique on x86 it is worth including it. > The kenv application may be available, but on any platform that lacks /boot/loader it's likely to produce empty output. Because the kernel environment is typically empty, an embedded system may not even have the kenv binary installed. I should note that I don't think the needs of embedded systems should carry so much weight in this discussion that it leads to jumping through major hoops. I think the most important point would be "Let failures be soft ones" -- things you may think of as basic tools always available on a minimal installation may not be there on a stripped down embedded system; no big deal, just don't hang the system or anything else dire in that case. Beyond that, I think a facility that lets a specialized embedded system provide an alternate command sequence for seeding covers the rest of the needs of embedded systems well enough. -- Ian