Date: Sat, 8 May 2004 20:15:54 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Darren Reed <darrenr@hub.freebsd.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h Message-ID: <20040508181554.GG24376@darkness.comp.waw.pl> In-Reply-To: <20040508155249.GB96827@hub.freebsd.org> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040506185854.GB1777@madman.celabo.org> <20040507072031.GA48708@hub.freebsd.org> <200405070755.36055.sam@errno.com> <20040508152531.GA96827@hub.freebsd.org> <20040508155249.GB96827@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--MIh0bEfVBykExQEj Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 08, 2004 at 08:52:49AM -0700, Darren Reed wrote: +> Then again, if the rationale for having these sysctl's is because +> we don't trust those code paths then: +> a) why don't we audit or do walk throughs or code inspections +> to fix this; +> b) why don't we add sysctl's to disable all code paths that we +> have similar doubts about elsewhere in the kernel. +>=20 +> Doing (b) is just stupid but if there are real concerns then there +> is a lot more to gain by doing (a) than adding these sysctl's as a +> defence mechanism. It isn't stupid and we do it in this way if functionality _could be_ insecure and it is only used by _a few_ (if anyone). Check: - vfs.usermount, - net.inet.ip.sourceroute (!!), - security.jail.socket_unixiproute_only, - security.jail.sysvipc_allowed, - security.jail.getfsstate_getfsstatroot_only, - security.bsd.unprivileged_get_quota. Probably much more and more that I'll be happier if I see them turned on by default: - security.bsd.unprivileged_read_msgbuf, - security.bsd.hardlink_check_uid, - security.bsd.hardlink_check_gid. +> [...] Doing (a) leads to real security. What this +> patch provides, does not. No, you are wrong. It leads to better security, that's all. How many times OpenSSH was auditted? The best thing you can do is to block all not needed functionality, for me, even capabilities aren't the answer, that's why I coded CerbNG, that's why I like systrace. And this change I like, because I don't have to load whole firewall only for this (I agree here with Sam) and this code isn't complex - it is worth it. Just like in life:) You have to balance things all the time, here: introduced complexity and risk with introduced benefits and security (how much complexity it removes if it becomes the default?). It has my vote. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --MIh0bEfVBykExQEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAnSPaForvXbEpPzQRAmgCAKCvtiUn26gCjw7YenXoso01aW1rqQCg2D/z 0wMB7YatsLCLonChUTsPZMs= =GXIw -----END PGP SIGNATURE----- --MIh0bEfVBykExQEj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040508181554.GG24376>