From owner-freebsd-arch Wed May 1 19:22:33 2002 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D4DBD37B419 for ; Wed, 1 May 2002 19:22:30 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g422MIb5059438; Wed, 1 May 2002 22:22:18 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 1 May 2002 22:22:18 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dag-Erling Smorgrav Cc: arch@freebsd.org Subject: Re: deperlifying sockstat(1) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 1 May 2002, Robert Watson wrote: > I'd love it if neither netstat nor sockstat required privilege to run, > and could extract it all from sysctl. If you do that, make sure you > call appropriate socket visibility hooks in the sysctl export so that it > DTRT for jail, MAC, etc. Eliminating setgid kmem even more will > continue to markedly improve the security of FreeBSD 5.0... I tweaked a > couple out, and Thomas Moestl did a large chunk of the remainder, but > there are still some that are left. In particular fixing systat would > be highly desirable, as it does a fair amount of I/O. FWIW, reviewing the binaries on my system, systat is no longer setgid. Thomas got it already. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message