From owner-freebsd-security Tue Jul 25 1:29: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from dlt.follo.net (elde.org [195.204.143.185]) by hub.freebsd.org (Postfix) with ESMTP id 4E9B937B840; Tue, 25 Jul 2000 01:29:05 -0700 (PDT) (envelope-from terje@elde.net) Received: by dlt.follo.net (Postfix, from userid 1002) id DEA215EF3E; Tue, 25 Jul 2000 10:29:01 +0200 (CEST) Date: Tue, 25 Jul 2000 10:29:01 +0200 From: Terje Elde To: Adrian Chadd Cc: Robert Watson , Sheldon Hearn , =?iso-8859-1?Q?Joachim_Str=F6mbergson?= , Greg Lewis , freebsd-security@FreeBSD.ORG Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap? Message-ID: <20000725102901.A32679@dlt.follo.net> References: <20000720124805.D70017@dlt.follo.net> <20000724210042.O62551@ywing.creative.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000724210042.O62551@ywing.creative.net.au>; from adrian@FreeBSD.ORG on Mon, Jul 24, 2000 at 09:00:42PM +0200 X-Mailer: Mutt http://www.mutt.org/ X-Editor: Vim http://www.vim.org/ X-IRC: ircii!epic4-2000 - prevail[1214] X-Goal: Exterminate All Rational Thought Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Adrian Chadd (adrian@FreeBSD.ORG) [000724 21:40]: > > For a "ugly hack, but up and running today" kinda solution, you could always > > do what I do... Use cfs (yes, the software tcfs is based on is running under > > freebsd, and is available in the ports collection) for your file systems, then > > swap to a file, on one of the encrypted file systems. > > > > It's not a pretty sight, but it does the job. > > Whats wrong with a bdev io layer like vinum/ccd which does crypto? > Then you could swap and filesystem to your block devices to your hearts > content with whatever filesystem you wanted? This would work, and probably significantly faster than the cfs model, with it's double mount points and so on. It would however also (IMHO) fall under the not pretty hack umbrella, as this doesn't easily allow handling of multi user situations and so on. Bottom line in this case is that if anyone wants to spend a weekend coding this up then that will be an advantage for all the people wanting to use encrypted homedirs and swap on single user workstations. It will make the world a little better, but it might also delay implementation and deployment of a proper system. As far as I can see what it all boils down to is that this will be coded if someone wants it bad enough to take the time. Then we'll just have to see if it delays other good stuff... To finish off with some questions... Does anyone at this time plan on taking the time to look at integrating TCFS into FreeBSD? Are there any other possibilities than a bdev io layer, cfs and tcfs? Terje -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE5fU/H8HLgLrwmRg0RAqfrAJ9Rozagx6bFj65OITuE/nQhDp+zUgCfbOvK S7I824Obbdg1lQzhHr2M6H0= =f6sI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message