Date: Mon, 29 Nov 1999 18:13:23 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Warner Losh <imp@village.org> Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h Message-ID: <199911300213.SAA13910@apollo.backplane.com> References: <199911292344.PAA12574@apollo.backplane.com> <199911292239.OAA11977@apollo.backplane.com> <Pine.BSF.4.21.9911291431310.19254-100000@hub.freebsd.org> <199911292335.QAA97810@harmony.village.org> <199911300129.SAA98529@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:: publically readable. You can obtain a list of pid's from that,
:: figure out which one is new, and still win the race.
::
:: You see? Randomizing pid's is *very* weak security.
:
:It increase the amount of work needed to find out the pid in question.
:This reduces the chances of winning the race to create the symbolic
:links. The sequential pids make this sort of attack trivial. An
I don't think this is really increasing the amount of work required.
Even without /proc all a person has to do is load up 25% or 20% or
some percentage of links and he can still break root, with or without
random pids.
Partial security solutions thus do not necessarily make your system
security better, they can have the opposite effect as well: Security
bugs may not be found quickly enough due to the added obscurity due to
the partial solution, leaving your doors wide open without you necessarily
knowing it or leaving you with a false sense of security.
Given the choice, I prefer a strong solution or at least a medium
solution. A weak solution is useless.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911300213.SAA13910>