From owner-freebsd-security@FreeBSD.ORG Tue Feb 2 11:25:32 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88CA9106566C for ; Tue, 2 Feb 2010 11:25:32 +0000 (UTC) (envelope-from jespasac@minibofh.org) Received: from smtp01.cdmon.com (smtp01.cdmon.com [212.36.75.230]) by mx1.freebsd.org (Postfix) with ESMTP id 4C1E48FC15 for ; Tue, 2 Feb 2010 11:25:31 +0000 (UTC) Received: from jespasac.cdmon.com (62.Red-217-126-43.staticIP.rima-tde.net [217.126.43.62]) (Authenticated sender: jespasac@noverificar) by smtp01.cdmon.com (Postfix) with ESMTP id 631F2FCB22 for ; Tue, 2 Feb 2010 12:09:51 +0100 (CET) Message-ID: <4B6807FE.30106@minibofh.org> Date: Tue, 02 Feb 2010 12:09:50 +0100 From: Jordi Espasa Clofent User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 02 Feb 2010 14:46:37 +0000 Subject: kern.randompid sysctl value X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 11:25:32 -0000 HI, 1. ¿What's the real value (in terms of security) of the random PIDs feature? According to this book http://books.google.es/books?id=gqKwaHmXp4YC&pg=PA50&lpg=PA50&dq=random+pids+security&source=bl&ots=jimAeOQK2Q&sig=WrsBiMAxU-lUCM3pdCjtIYfmiIo&hl=es&ei=OwVoS4nwGMeOjAek5ZCvCQ&sa=X&oi=book_result&ct=result&resnum=9&ved=0CCsQ6AEwCA#v=onepage&q=random%20pids%20security&f=false I understand that the random PIDs wil be a good security measure against some exploits (books says "race conditions"). OpenBSD folks (focused on security) have the random PIDs by defaul, so ¿why Freebsd don't use it by default? 2. ¿What will be a real secure value for sysctl parameter? I mean 'kern.randompid' isn't a boolean, but a large number which determines the numeric range to generate de random PIDs. ¿1000, 10000, 100000? Thanks in advance for aclarations. PD. I've real this old post http://marc.info/?l=freebsd-security&m=99495048923300&w=2. Interesting. -- I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. Bene Gesserit Litany Against Fear.