Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 01 Dec 2001 15:32:03 -0800 (PST)
From:      John Baldwin <jhb@FreeBSD.org>
To:        Dave <mudman@R181172.resnet.ucsb.edu>
Cc:        freebsd-security@freebsd.org
Subject:   RE: options USER_LDT
Message-ID:  <XFMail.011201153203.jhb@FreeBSD.org>
In-Reply-To: <Pine.BSF.4.33.0111302322520.763-100000@R181172.resnet.ucsb.edu>

next in thread | previous in thread | raw e-mail | index | archive | help

On 01-Dec-01 Dave wrote:
> 
> I really have no clue what the kernel option:
> options       USER_LDT
> 
> means, except this rugged definition I found in LINT (paraphrase):
> "Allow applications running in user space to manipulate the Local
> Descriptor Table (LDT)"
> 
> Since it didn't come in the GENERIC (FBSD 4.4 REL), I'm assuming that
> someone, somewhere, thought it would be a good idea to have this disabled
> by default and maybe it was meant to be added in only by people who know
> what they are doing.

No, it's enabled by default, not disabled by default.

> Is there a security risk by allowing programs to access the Local
> Descriptor Table?  (I'm not sure what the LDT is, but if it was off for a
> reason I wouldn't want to challenge the decisions of those more informed
> than myself.  If it wasn't for an efficiency judgement, it could of been
> for a security judgement)

There shouldn't be, since each program has its own LDT if it uses the syscalls
to set one up.  It can't use the LDT to look outside of its own address space
since the addresses that come out of the LDT still have to go through the page
tables.

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011201153203.jhb>