Date: Mon, 16 Jun 2008 19:10:17 +0100 From: "Rui Paulo" <rpaulo@FreeBSD.org> To: "Stanislav Sedov" <stas@freebsd.org> Cc: Peter Jeremy <peterjeremy@optushome.com.au>, Poul-Henning Kamp <phk@phk.freebsd.dk>, kib@freebsd.org, current@freebsd.org, Coleman Kane <cokane@freebsd.org> Subject: Re: cpuctl(formely devcpu) patch test request Message-ID: <e1309ba60806161110x5f774fcdic2f5c7b2e7bcb83e@mail.gmail.com> In-Reply-To: <20080616204433.48ad9879.stas@FreeBSD.org> References: <20080606020927.8d6675e1.stas@FreeBSD.org> <10261.1212703949@critter.freebsd.dk> <20080606025533.8322ee08.stas@FreeBSD.org> <1212758604.1904.33.camel@localhost> <20080615230250.7f3efae4.stas@FreeBSD.org> <1213557999.1816.15.camel@localhost> <20080616204433.48ad9879.stas@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 16, 2008 at 5:44 PM, Stanislav Sedov <stas@freebsd.org> wrote: > On Sun, 15 Jun 2008 15:26:39 -0400 > Coleman Kane <cokane@FreeBSD.org> mentioned: > >> I think the anti-foot-shooting measures referred to above were also >> taking into consideration for security reasons. It might be valuable for >> someone to be able to configure this feature to be rdmsr-only, thereby >> limiting potential harm vectors in the event that an attacker is likely >> to crack access to the system for supervisory privileges. This would be >> a legitimate consideration to make, especially so that the module could >> at least provide a sane "safe operating mode" to those that would >> benefit from read-only access. >> >> So, for example, I would consider most crackers to be skilled enough to >> inject an ioctl call somewhere, even if the primary user of the system >> is not so skilled., but they want to use software written by others that >> makes use of this interface. > > On the other hand, providing extra security levels via sysctl looks > slightly overkill to me, as if the attacker would be able to issue > a ioctl call somewhere it would be easy to him to make a sysctl > call as well. Priv(9) checks and/or securelevels could be used > to limit the usage of this functionality. Furthermore, there're > a lot of other possible ways to execure an msr instructions, > including loading your own simple kernel object. There's no security issue here. If the system administrator is concerned about "security" of cpuctl, he/she just has to compile-out cpuctl or remove the module from the file system. Regards, -- Rui Paulo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e1309ba60806161110x5f774fcdic2f5c7b2e7bcb83e>