Date: Wed, 26 Oct 2016 15:49:37 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: CeDeROM <cederom@tlen.pl> Cc: "Robert N. M. Watson" <rwatson@freebsd.org>, freebsd-security@freebsd.org, Pawel Jakub Dawidek <pjd@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED] Message-ID: <86oa27usni.fsf@desk.des.no> In-Reply-To: <CAFYkXj=cACm0XJcXkA5Jw1Mq79u43yAU1EpHQ60MqcaRDUfj8A@mail.gmail.com> (cederom@tlen.pl's message of "Wed, 26 Oct 2016 15:33:31 %2B0200") References: <20161025173641.BCDFD1911@freefall.freebsd.org> <20161026042748.GG60006@garage.freebsd.pl> <CAGMYy3v8KxuQfou0SmUNikghH-9NWfneoMPP_15F85WkDaUhKg@mail.gmail.com> <20161026061504.GH60006@garage.freebsd.pl> <0717BEFA-4E65-4990-AC50-FD80681C110C@FreeBSD.org> <CAFYkXjn39kKzcTY-pJObaVz8OGqbzCHE69kYAmRYtz5OX2kpAQ@mail.gmail.com> <868ttbwio9.fsf@desk.des.no> <CAFYkXjmYCLyQi-PHNtcP2-AALH=2QRwAWBoQDtypUvBtekTFag@mail.gmail.com> <864m3zwdro.fsf@desk.des.no> <CAFYkXjmgvNz_LpkSJq7AeQp94oXJYvKcttFrYVKLEmmEvwNhkA@mail.gmail.com> <86wpgvuwq2.fsf@desk.des.no> <CAFYkXjnDe6nuA8QCCnQoDP2CYfcxfH3VWyYXm-Y8x4cWA8FpOw@mail.gmail.com> <86shrjuud4.fsf@desk.des.no> <CAFYkXj=cACm0XJcXkA5Jw1Mq79u43yAU1EpHQ60MqcaRDUfj8A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
CeDeROM <cederom@tlen.pl> writes: > You have this idea to remove local denial of service advisories. No. With very few (imho unfortunate) exceptions, we have *never* issued advisories for local DoS exploits. So we're not taking anything away from you. > My idea is to move them into benchmarks/recommendations such as CIS, The CIS benchmarks are not lists of vulnerabilities. They are lists of best practices for configuring a machine, and shell scripts that tell you whether a machine is configured correctly according to the benchmark. The only way to prevent local denial of service attacks is to not have any users. A four-byte shell script will send the load through the roof. A seven- or ten-byte script will render the machine unusable, and you won't even be able to log in to kill it. These are not bugs, they're fundamental features of the operating system, and you can't plug them without making the system useless for its intended purpose. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86oa27usni.fsf>