From owner-freebsd-current Mon Feb 8 23:44:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA19754 for freebsd-current-outgoing; Mon, 8 Feb 1999 23:44:34 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA19746 for ; Mon, 8 Feb 1999 23:44:32 -0800 (PST) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.9.2/8.9.2) with ESMTP id HAA13807 for ; Tue, 9 Feb 1999 07:44:28 GMT Message-ID: <36BFE75C.E7EC4DCC@tdx.co.uk> Date: Tue, 09 Feb 1999 07:44:28 +0000 From: Karl Pielorz Organization: TDX - The Digital eXchange X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: current@FreeBSD.ORG Subject: Re: adding DHCP client to src/contrib/ References: <199902090639.WAA08295@kithrup.com> from Sean Eric Fagan at "Feb 8, 1999 10:39:29 pm" <199902090718.XAA10270@kithrup.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Sean Eric Fagan wrote about the security implications of making the bpf device the default in GENERIC etc. > I'm sorry, but that's a complete non-issue: > > 1. /dev/bpf0 is mode 400, root.wheel -- to read it, you need to break root. > 2. If you can break root, you can rebuild a kernel with BPF *anyway*. Sorry - I disagree with that... We run an ISP on FreeBSD, and we'd damn well notice someone _rebooting_ (or even trying to reboot one of our machines (to get their new kernel to work it's magic) - Heck, our machines _don't_ reboot from a 'shutdown -r'! - they're AST's! :) Whilst the argument about removing the source tree / kernel source etc. has always been pretty mute (what hackers not worth their salt don't come prepared? :) - I don't like the idea of every root exploiter just being able to 'instantly' sit there and run BPF! (Without even things like tripwire having a chance of detecting a kernel change). I'd much rather having the hacker either blocked from doing this, or having to spend time doing it (e.g. getting the source / new kernel to the machine etc. - the longer the better)... I think having bpf compiled in by default is going to be a Bad Move (tm). It _usually_ follows if some new user has the ability to recompile the kernel with it 'in' - they have enough sense to know the implications, put it in by default and you'll be giving every root hacker (or box where root access is sadly routine - and I know probably shouldn't be) an instant christmas present on those kind of machines... (I know theres probably ways of doing this with kern_secure_level, but that defaults to 'NO' at the moment :) Just my $0.04! (and no, it's not on fire... :) -Kp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message