From owner-freebsd-audit Sun Jan 28 9: 3:46 2001 Delivered-To: freebsd-audit@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 4A3B237B6A1 for ; Sun, 28 Jan 2001 09:03:29 -0800 (PST) Received: from platinum.scientia.demon.co.uk ([192.168.91.37] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.20 #1) id 14Mu5c-000GMA-00 for audit@FreeBSD.org; Sun, 28 Jan 2001 15:50:04 +0000 Received: (from ben@localhost) by platinum.scientia.demon.co.uk (8.11.1/8.11.1) id f0SFo4Y72495 for audit@FreeBSD.org; Sun, 28 Jan 2001 15:50:04 GMT (envelope-from ben) Date: Sun, 28 Jan 2001 15:50:03 +0000 From: Ben Smithurst To: audit@FreeBSD.org Subject: fix for 'tunefs -p' Message-ID: <20010128155003.A68581@platinum.scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG tunefs -p seems to be broken, since the relevent case in the switch doesn't set found_arg = 1. This patch fixes it, any objections? Index: tunefs.c =================================================================== RCS file: /usr/cvs/src/sbin/tunefs/tunefs.c,v retrieving revision 1.14 diff -u -r1.14 tunefs.c --- tunefs.c 2000/12/10 20:59:30 1.14 +++ tunefs.c 2001/01/28 15:48:05 @@ -165,6 +165,7 @@ oflag = 1; break; case 'p': + found_arg = 1; pflag = 1; break; default: -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jan 30 20: 1:42 2001 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.161.193]) by hub.freebsd.org (Postfix) with ESMTP id 4B6A737B6B0 for ; Tue, 30 Jan 2001 20:01:24 -0800 (PST) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.0/8.11.0) with ESMTP id f0V41Nu343787 for ; Tue, 30 Jan 2001 23:01:23 -0500 (EST) Received: from enterprise.muriel.penguinpowered.com ([198.82.100.151]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0G8000KE9DU9MT@gkar.cc.vt.edu> for FreeBSD-audit@freebsd.org; Tue, 30 Jan 2001 23:01:21 -0500 (EST) Date: Tue, 30 Jan 2001 23:01:21 -0500 (EST) From: Mike Heffner Subject: patch for libc/net/hesiod.c To: FreeBSD-audit Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.4.6-3 on FreeBSD Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 8bit X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This patch fixes some string overflow issues in the hesiod(3) functions in libc. Reviews? Index: hesiod.c =================================================================== RCS file: /home/ncvs/src/lib/libc/net/hesiod.c,v retrieving revision 1.3 diff -u -r1.3 hesiod.c --- hesiod.c 2000/09/30 17:29:54 1.3 +++ hesiod.c 2001/01/31 03:13:37 @@ -162,7 +162,7 @@ const char *rhs; int len; - strcpy(bindname, name); + strlcpy(bindname, name, sizeof(bindname)); /* * Find the right right hand side to use, possibly @@ -197,17 +197,17 @@ return NULL; } /* Put together the rest of the domain. */ - strcat(bindname, "."); - strcat(bindname, type); + strlcat(bindname, ".", sizeof(bindname)); + strlcat(bindname, type, sizeof(bindname)); /* Only append lhs if it isn't empty. */ if (ctx->lhs && ctx->lhs[0] != '\0' ) { if (ctx->lhs[0] != '.') - strcat(bindname, "."); - strcat(bindname, ctx->lhs); + strlcat(bindname, ".", sizeof(bindname)); + strlcat(bindname, ctx->lhs, sizeof(bindname)); } if (rhs[0] != '.') - strcat(bindname, "."); - strcat(bindname, rhs); + strlcat(bindname, ".", sizeof(bindname)); + strlcat(bindname, rhs, sizeof(bindname)); /* rhs_list is no longer needed, since we're done with rhs. */ if (rhs_list) -- Mike Heffner Blacksburg, VA ICQ# 882073 http://filebox.vt.edu/users/mheffner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jan 30 20:59:58 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.uact.net (mail.uact.net [207.245.207.10]) by hub.freebsd.org (Postfix) with SMTP id 9423237B69F for ; Tue, 30 Jan 2001 20:59:41 -0800 (PST) Received: (qmail 15827 invoked from network); 31 Jan 2001 05:04:53 -0000 Received: from ragoon.uact.net (HELO Debug) (207.245.207.18) by mail.uact.net with SMTP; 31 Jan 2001 05:04:53 -0000 To: freebsd-audit@FreeBSd.org From: aeonflux@uact.net Subject: etc/security changes Date: Wed, 31 Jan 101 01:12:21 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.11 Message-Id: <20010131045941.9423237B69F@hub.freebsd.org> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG greetings, I'd like to make the following suggestion for a patch. Obviously as it stands failed ssh logins dont show up in the nightly security checkup. This patch corrects that. You can pull the actual file (for your convince) from http://www.ms-group.com/security/security.patch if you'd prefer. --- /etc/security Tue Jan 30 23:40:48 2001 +++ /etc/security Tue Jan 30 23:48:51 2001 @@ -18,6 +18,7 @@ [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz [ -f $LOG/messages.0 ] && cat $LOG/messages.0 [ -f $LOG/messages ] && cat $LOG/messages + [ -f $LOG/security ] && cat $LOG/security } sflag=FALSE ignore= @@ -162,6 +163,13 @@ separator echo "${host} login failures:" n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l) +[ $n -gt 0 -a $rc -lt 1 ] && rc=1 + +# Show SSH login failures +# +separator +echo "${host} SSH login failures:" +n=$(catmsgs | grep -i "^$yesterday.*Failed password" | tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 # Show tcp_wrapper warning messages --------------------------------------------- This message was sent using Ottawa Online Mailbag. http://www.ottawaonline.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jan 30 22:53:50 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65]) by hub.freebsd.org (Postfix) with ESMTP id D21DB37B4EC for ; Tue, 30 Jan 2001 22:53:30 -0800 (PST) Received: from grondar.za (root@gratis.grondar.za [196.7.18.133]) by gratis.grondar.za (8.11.1/8.11.1) with ESMTP id f0V6rDC05333; Wed, 31 Jan 2001 08:53:15 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <200101310653.f0V6rDC05333@gratis.grondar.za> To: Mike Heffner Cc: FreeBSD-audit Subject: Re: patch for libc/net/hesiod.c References: In-Reply-To: ; from Mike Heffner "Tue, 30 Jan 2001 23:01:21 EST." Date: Wed, 31 Jan 2001 08:53:31 +0200 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > This patch fixes some string overflow issues in the hesiod(3) > functions in libc. > > Reviews? > > > Index: hesiod.c Looks good! M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Jan 31 0:16:32 2001 Delivered-To: freebsd-audit@freebsd.org Received: from netcabo.pt (unknown [212.113.161.137]) by hub.freebsd.org (Postfix) with ESMTP id 670C637B69D for ; Wed, 31 Jan 2001 00:16:15 -0800 (PST) Received: from mail.netcabo.pt ([213.22.0.14]) by netcabo.pt with Microsoft SMTPSVC(5.5.1877.537.53); Wed, 31 Jan 2001 08:14:41 +0000 Date: Wed, 31 Jan 2001 08:18:11 +0000 From: Joao Fernandes To: audit@freebsd.org Subject: Security Patchs Message-ID: <20010131081810.A561@OpsyDopsy.netcabo.pt> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: ; from mheffner@vt.edu on Wed, Jan 31, 2001 at 04:01:21 +0000 X-Mailer: Balsa 1.1.0 Content-Length: 234 Lines: 8 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Could anyone confirm to me that all the security patchs that apear in audit do in fact get merged in the stable version of FBSD? How could I apply a patch without having to remake the whole world? Thanks in advance. Joao Fernandes To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Jan 31 6: 9:39 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id F1E6937B491 for ; Wed, 31 Jan 2001 06:09:21 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 2195718C8F; Wed, 31 Jan 2001 08:09:21 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0VE9Lo05137; Wed, 31 Jan 2001 08:09:21 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Wed, 31 Jan 2001 08:09:21 -0600 From: "Jacques A. Vidrine" To: Mike Heffner Cc: FreeBSD-audit Subject: Re: patch for libc/net/hesiod.c Message-ID: <20010131080920.A4720@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Mike Heffner , FreeBSD-audit References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mheffner@vt.edu on Tue, Jan 30, 2001 at 11:01:21PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 30, 2001 at 11:01:21PM -0500, Mike Heffner wrote: > This patch fixes some string overflow issues in the hesiod(3) > functions in libc. Thanks! You may also want to send this to , since that's where the code originates. Of course, strlcpy/strlcat may be something of a portability problem for them. > Reviews? > > > Index: hesiod.c > =================================================================== > RCS file: /home/ncvs/src/lib/libc/net/hesiod.c,v > retrieving revision 1.3 > diff -u -r1.3 hesiod.c > --- hesiod.c 2000/09/30 17:29:54 1.3 > +++ hesiod.c 2001/01/31 03:13:37 > @@ -162,7 +162,7 @@ > const char *rhs; > int len; > > - strcpy(bindname, name); > + strlcpy(bindname, name, sizeof(bindname)); How come no one checks for truncation? This should be e.g. if (strlcpy(bindname, name, sizeof(bindname)) >= sizeof(bindname)) return NULL; [snip] Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Jan 31 6:13:29 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id E8B4237B4EC for ; Wed, 31 Jan 2001 06:13:11 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 2844318C8F; Wed, 31 Jan 2001 08:13:11 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0VEDBG05147; Wed, 31 Jan 2001 08:13:11 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Wed, 31 Jan 2001 08:13:11 -0600 From: "Jacques A. Vidrine" To: Mike Heffner Cc: FreeBSD-audit Subject: Re: patch for libc/net/hesiod.c Message-ID: <20010131081310.B4720@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Mike Heffner , FreeBSD-audit References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mheffner@vt.edu on Tue, Jan 30, 2001 at 11:01:21PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 30, 2001 at 11:01:21PM -0500, Mike Heffner wrote: > This patch fixes some string overflow issues in the hesiod(3) > functions in libc. > > Reviews? The following doesn't appear to be necessary... the length is checked before any calls to strcat. If you were going to use strlcat here, then it would be appropriate to remove the length-checking code. However, I don't recommend this, due to the portability issue I mentioned in my previous message. [snip] > @@ -197,17 +197,17 @@ > return NULL; > } > /* Put together the rest of the domain. */ > - strcat(bindname, "."); > - strcat(bindname, type); > + strlcat(bindname, ".", sizeof(bindname)); > + strlcat(bindname, type, sizeof(bindname)); > /* Only append lhs if it isn't empty. */ > if (ctx->lhs && ctx->lhs[0] != '\0' ) { > if (ctx->lhs[0] != '.') > - strcat(bindname, "."); > - strcat(bindname, ctx->lhs); > + strlcat(bindname, ".", sizeof(bindname)); > + strlcat(bindname, ctx->lhs, sizeof(bindname)); > } > if (rhs[0] != '.') > - strcat(bindname, "."); > - strcat(bindname, rhs); > + strlcat(bindname, ".", sizeof(bindname)); > + strlcat(bindname, rhs, sizeof(bindname)); > > /* rhs_list is no longer needed, since we're done with rhs. */ > if (rhs_list) Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Jan 31 6:17:18 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id B742637B69D for ; Wed, 31 Jan 2001 06:17:00 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 1064B18C8F; Wed, 31 Jan 2001 08:17:00 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0VEGxF05163; Wed, 31 Jan 2001 08:16:59 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Wed, 31 Jan 2001 08:16:59 -0600 From: "Jacques A. Vidrine" To: FreeBSD-audit Cc: Mike Heffner Subject: [UPDATED] Re: patch for libc/net/hesiod.c Message-ID: <20010131081659.C4720@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , FreeBSD-audit , Mike Heffner References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mheffner@vt.edu on Tue, Jan 30, 2001 at 11:01:21PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is the patch I think should be applied. Comments? Thanks, Mike, for checking this stuff out! diff -u -r1.3 hesiod.c --- hesiod.c 2000/09/30 17:29:54 1.3 +++ hesiod.c 2001/01/31 14:16:06 @@ -162,7 +162,10 @@ const char *rhs; int len; - strcpy(bindname, name); + if (strlcpy(bindname, name, sizeof(bindname)) >= sizeof(bindname)) { + errno = EMSGSIZE; + return NULL; + } /* * Find the right right hand side to use, possibly Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Jan 31 11:30:31 2001 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.161.193]) by hub.freebsd.org (Postfix) with ESMTP id DD4C837B491 for ; Wed, 31 Jan 2001 11:30:12 -0800 (PST) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.0/8.11.0) with ESMTP id f0VJUAu461300; Wed, 31 Jan 2001 14:30:10 -0500 (EST) Received: from enterprise.muriel.penguinpowered.com ([198.82.100.151]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0G81000H6KU9TU@gkar.cc.vt.edu>; Wed, 31 Jan 2001 14:30:09 -0500 (EST) Date: Wed, 31 Jan 2001 14:30:09 -0500 (EST) From: Mike Heffner Subject: RE: [UPDATED] Re: patch for libc/net/hesiod.c In-reply-to: <20010131081659.C4720@hamlet.nectar.com> To: "Jacques A. Vidrine" Cc: FreeBSD-audit Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.4.6-3 on FreeBSD Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 8bit X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 31-Jan-2001 Jacques A. Vidrine wrote: | This is the patch I think should be applied. Comments? | Yes, this looks better and protects against truncation. I hadn't noticed the pre-existing length checks before the strcat()'s. I'll forward your patch to the address you mentioned in case they can use it. | Thanks, Mike, for checking this stuff out! No problem, thanks for reviewing! :) | | diff -u -r1.3 hesiod.c | --- hesiod.c 2000/09/30 17:29:54 1.3 | +++ hesiod.c 2001/01/31 14:16:06 | @@ -162,7 +162,10 @@ | const char *rhs; | int len; | | - strcpy(bindname, name); | + if (strlcpy(bindname, name, sizeof(bindname)) >= sizeof(bindname)) { | + errno = EMSGSIZE; | + return NULL; | + } | | /* | * Find the right right hand side to use, possibly | | Cheers, | -- | Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org -- Mike Heffner Blacksburg, VA ICQ# 882073 http://filebox.vt.edu/users/mheffner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Feb 1 1:39:51 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 3C30637B4EC for ; Thu, 1 Feb 2001 01:39:34 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id DF878BA0CB; Thu, 1 Feb 2001 01:40:04 -0800 (PST) Date: Thu, 1 Feb 2001 01:40:04 -0800 From: Kris Kennaway To: Joao Fernandes Cc: audit@FreeBSD.ORG Subject: Re: Security Patchs Message-ID: <20010201014004.A71460@xor.obsecurity.org> References: <20010131081810.A561@OpsyDopsy.netcabo.pt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010131081810.A561@OpsyDopsy.netcabo.pt>; from OpsyDopsy@netcabo.pt on Wed, Jan 31, 2001 at 08:18:11AM +0000 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 31, 2001 at 08:18:11AM +0000, Joao Fernandes wrote: > Could anyone confirm to me that all the security patchs that apear in audit > do in fact get merged in the stable version of FBSD? This is a list for patch proposal and discussion. The ones which are correct get applied to the tree once they are reviewed and hopefully merged to -stable. > How could I apply a patch without having to remake the whole world? You don't, unless you know what you're doing :-) Kris --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6eS70Wry0BWjoQKURAveNAJsF8NxDfKdYBJEtwL9FXGAA9dUJywCdFu4L OfYJJPSy2Sq5c+sBpdNA75E= =lqVh -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Feb 1 16:59: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.gmx.net (sproxy.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id EF68437B491 for ; Thu, 1 Feb 2001 16:58:51 -0800 (PST) Received: (qmail 19915 invoked by uid 0); 2 Feb 2001 00:58:50 -0000 Received: from p3e9bc177.dip.t-dialin.net (HELO forge.local) (62.155.193.119) by mail.gmx.net (mail08) with SMTP; 2 Feb 2001 00:58:50 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14OUYm-0000LU-00 for ; Fri, 02 Feb 2001 01:58:44 +0100 Date: Fri, 2 Feb 2001 01:58:44 +0100 To: freebsd-audit@freebsd.org Subject: patch to remove setgid kmem from top Message-ID: <20010202015844.A1246@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-audit@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i From: Thomas Moestl Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I have prepared a set of patches that allow running top as an ordinary user without setgid kmem. As this is somehow security related (and because I would like this patches to be reviewed), I'm posting to -audit. Please give me a pointer if you feel that this is the wrong forum. All information top needs is now read via the sysctl interface. One sysctl, kern.lastpid, had to be added for this. It exports the nextpid variable, which reflects the highest PID used up to now. This information was given away before by top. It could allow discovering a PID before the corresponding process is run for the first time (but after the fork call started when randompid is enabled). I don't think that this is a security issue (there are other ways to discover PIDs after all, unless with restrict e.g. ps). Another thing that needed to be changed is the libkvm kvm_getswapinfo() call that made heavy use of kvm_read. I have changed the kernel to do per swap area accounting (as discussed on -hackers), and have exported this information via the vm.nswapdev sysctl (number of swap areas) and the vm.swapdevX nodes (where X is the device), which contain the MIBs dev, nblks, used and flags. A patch to libkvm makes use of these new sysctls in the case of "live" kernels, and changes the dump case so that the information gathered in the kernel is used instead of walking the radix tree. A side effect of this change is that kvm_getswapinfo() is faster now in the general case. If the SWIF_DUMP_TREE flag is given (pstat -ss does this), the radix tree walker, which still uses kvm_read in any case, is invoked, but I don't think that this information needs to be exported for ordinary users. The changes are split into three diffs: - for top: http://www.tu-bs.de/~y0015675/top.diff - for libkvm: http://www.tu-bs.de/~y0015675/libkvm.diff - for the kernel: http://www.tu-bs.de/~y0015675/sysctl.diff (I don't want to post the patch files if not necessary, they are a bit large for that). Could someone please review these patches, and if they are OK, commit them? Thanks, - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Feb 1 17:11:31 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.org (adsl-64-169-104-72.dsl.lsan03.pacbell.net [64.169.104.72]) by hub.freebsd.org (Postfix) with ESMTP id 9EBBE37B491 for ; Thu, 1 Feb 2001 17:11:14 -0800 (PST) Received: by obsecurity.org (Postfix, from userid 1000) id 773C9BA0CB; Thu, 1 Feb 2001 17:11:45 -0800 (PST) Date: Thu, 1 Feb 2001 17:11:45 -0800 From: Kris Kennaway To: Thomas Moestl Cc: freebsd-audit@FreeBSD.ORG Subject: Re: patch to remove setgid kmem from top Message-ID: <20010201171145.A75869@xor.obsecurity.org> References: <20010202015844.A1246@crow.dom2ip.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010202015844.A1246@crow.dom2ip.de>; from tmoestl@gmx.net on Fri, Feb 02, 2001 at 01:58:44AM +0100 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 02, 2001 at 01:58:44AM +0100, Thomas Moestl wrote: > I have prepared a set of patches that allow running top as an ordinary > user without setgid kmem.=20 Excellent! > One sysctl, kern.lastpid, had to be added for this. It exports the=20 > nextpid variable, which reflects the highest PID used up to now. Just to be clear, this isn't "the next PID which will be used by a forked process", but "the PID of the last created process"? I'm pretty sure the counter is incremented at fork-time (the issue is if we're doing random PID increments to defeat prediction, we obviously don't want to tip our hand). The latter is publically available information and I don't see an issue with this. Kris --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6eglRWry0BWjoQKURAjfmAJ4uuQpWCjhfDLhLFZXlVy/ZGTvgNwCghmow 0+gxmf1hHHhh6dHNdYiKyM0= =dwqm -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Feb 1 17:25:39 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.gmx.net (sproxy.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 6A4EA37B67D for ; Thu, 1 Feb 2001 17:25:22 -0800 (PST) Received: (qmail 18030 invoked by uid 0); 2 Feb 2001 01:25:20 -0000 Received: from p3e9bc177.dip.t-dialin.net (HELO forge.local) (62.155.193.119) by mail.gmx.net (mp017-rz3) with SMTP; 2 Feb 2001 01:25:20 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14OUyR-0000NZ-00; Fri, 02 Feb 2001 02:25:15 +0100 Date: Fri, 2 Feb 2001 02:25:15 +0100 From: Thomas Moestl To: Kris Kennaway Cc: freebsd-audit@FreeBSD.ORG Subject: Re: patch to remove setgid kmem from top Message-ID: <20010202022515.A1453@crow.dom2ip.de> Mail-Followup-To: Thomas Moestl , Kris Kennaway , freebsd-audit@FreeBSD.ORG References: <20010202015844.A1246@crow.dom2ip.de> <20010201171145.A75869@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010201171145.A75869@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Feb 01, 2001 at 05:11:45PM -0800 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 01, 2001 at 05:11:45PM -0800, Kris Kennaway wrote: > > One sysctl, kern.lastpid, had to be added for this. It exports the > > nextpid variable, which reflects the highest PID used up to now. > > Just to be clear, this isn't "the next PID which will be used by a > forked process", but "the PID of the last created process"? I'm pretty > sure the counter is incremented at fork-time (the issue is if we're > doing random PID increments to defeat prediction, we obviously don't > want to tip our hand). The latter is publically available information > and I don't see an issue with this. Yes. nextpid is taken in fork1, incremented by one, then randomness is added (if enabled) and then the needed checks are done etc. This new PID that is going to be used by the just-being-created created process is then written back into newpid. So this shouldn't give the new PID away until the fork is already in process and the PID is assigned. - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Feb 1 19:23:53 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail2.iadfw.net (smtp.pdq.net [206.66.12.234]) by hub.freebsd.org (Postfix) with SMTP id 5D84737B503 for ; Thu, 1 Feb 2001 19:23:35 -0800 (PST) Received: from jason from [64.31.207.237] by mail2.iadfw.net (/\##/\ Smail3.1.30.16 #30.47) with smtp for sender: id ; Thu, 1 Feb 2001 21:23:38 -0600 (CST) Message-ID: <017a01c08cc7$8727ffe0$edcf1f40@pdq.net> From: "Jason Smethers" To: "FreeBSD-audit" Subject: Convert taskqueue from splhigh() to mtx_*() Date: Thu, 1 Feb 2001 21:23:34 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The following patch converts taskqueue from spl[high,x]()'s to mtx_*() and adds appropriate sys[un]init functions in the hopes that one day these will be placeable in a throwaway ELF section. It is pretty much a straightforward spl -> mtx changeover. Other changes include some usage simplification IMO, and I added a KASSERT() to taskqueue_free() but there is currently no consumer of this routine. Currently there is only one consumer of taskqueue - the generic software interrupt taskqueue. The software interrupt taskqueue has four consumers: aac, acpica, amr, and mly. The patch compiles, but is not tested with these consuming drivers. http://64.31.203.118/~jason/FreeBSD-other/queue/patches/taskqueue.patc h Thanks - Jason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Feb 1 20:52:39 2001 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.161.193]) by hub.freebsd.org (Postfix) with ESMTP id 8DA7E37B4EC for ; Thu, 1 Feb 2001 20:52:21 -0800 (PST) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by lennier.cc.vt.edu (8.11.0/8.11.0) with ESMTP id f124qKu219470; Thu, 1 Feb 2001 23:52:20 -0500 (EST) Received: from enterprise.muriel.penguinpowered.com ([198.82.100.151]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with ESMTP id <0G8400LQW5J7OI@gkar.cc.vt.edu>; Thu, 1 Feb 2001 23:52:19 -0500 (EST) Date: Thu, 01 Feb 2001 23:52:19 -0500 (EST) From: Mike Heffner Subject: RE: Convert taskqueue from splhigh() to mtx_*() In-reply-to: <017a01c08cc7$8727ffe0$edcf1f40@pdq.net> To: Jason Smethers Cc: FreeBSD-audit Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.4.6-3 on FreeBSD Content-type: application/pgp; format=text; x-action=sign Content-description: signed PGP message Content-transfer-encoding: 8bit X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Minor point, but I think these three mtx_exit()'s need the address operator for the mutex. @@ -117,13 +131,13 @@ .... - - splx(s); + mtx_exit(queue->tq_lock, MTX_DEF); .... @@ -132,7 +146,7 @@ */ if (task->ta_pending) { task->ta_pending++; - - splx(s); + mtx_exit(queue->tq_lock, MTX_DEF); return 0; } .... @@ -159,7 +174,7 @@ if (queue->tq_enqueue) queue->tq_enqueue(queue->tq_context); - - splx(s); + mtx_exit(queue->tq_lock, MTX_DEF); return 0; } On 02-Feb-2001 Jason Smethers wrote: | The following patch converts taskqueue from spl[high,x]()'s to mtx_*() | and adds appropriate sys[un]init functions in the hopes that one day | these will be placeable in a throwaway ELF section. It is pretty much | a straightforward spl -> mtx changeover. Other changes include some | usage simplification IMO, and I added a KASSERT() to | taskqueue_free() but there is currently no consumer of this routine. | | Currently there is only one consumer of taskqueue - the generic | software interrupt taskqueue. The software interrupt taskqueue has | four consumers: aac, acpica, amr, and mly. | | The patch compiles, but is not tested with these consuming drivers. | | http://64.31.203.118/~jason/FreeBSD-other/queue/patches/taskqueue.patc | h | | Thanks | - Jason - -- Mike Heffner Blacksburg, VA ICQ# 882073 http://filebox.vt.edu/users/mheffner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ej0DFokZQs3sv5kRAkcaAJ9hb1uN5mJod/OlqAehe++WUle5kgCfUyBL rNvckarY8zsjKAWwijtxdvg= =AwFt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9: 5: 7 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6031B37B491 for ; Fri, 2 Feb 2001 09:04:50 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f12H4ih31230; Fri, 2 Feb 2001 12:04:44 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 2 Feb 2001 12:04:44 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Thomas Moestl Cc: freebsd-audit@freebsd.org Subject: Re: patch to remove setgid kmem from top In-Reply-To: <20010202015844.A1246@crow.dom2ip.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is great -- I won't have a chance to look in detail at your patches for a bit, but it seems that this is a great step forwards. I don't suppose you want to now turn your interest to netstat, vmstat, iostat, dmesg, nfsstat, pstat, and systat? :-) Much of the information needed in many of these is already exported -- in my mind systat is the most important as it links against ncurses and provides an interactive interface. Also, systat is least likely to suffer from the "but it won't work on a kernel dump" syndrome as it is generally not used for a post mortem. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9:14:48 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id CA95437B4EC for ; Fri, 2 Feb 2001 09:14:11 -0800 (PST) Received: (qmail 16956 invoked by uid 1000); 2 Feb 2001 17:12:01 -0000 Date: Fri, 2 Feb 2001 19:12:01 +0200 From: Peter Pentchev To: Robert Watson Cc: Thomas Moestl , freebsd-audit@freebsd.org Subject: Re: patch to remove setgid kmem from top Message-ID: <20010202191201.X328@ringworld.oblivion.bg> Mail-Followup-To: Robert Watson , Thomas Moestl , freebsd-audit@freebsd.org References: <20010202015844.A1246@crow.dom2ip.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@freebsd.org on Fri, Feb 02, 2001 at 12:04:44PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 02, 2001 at 12:04:44PM -0500, Robert Watson wrote: > > This is great -- I won't have a chance to look in detail at your patches > for a bit, but it seems that this is a great step forwards. I don't > suppose you want to now turn your interest to netstat, vmstat, iostat, > dmesg, nfsstat, pstat, and systat? :-) Much of the information needed in > many of these is already exported -- in my mind systat is the most > important as it links against ncurses and provides an interactive > interface. Also, systat is least likely to suffer from the "but it won't > work on a kernel dump" syndrome as it is generally not used for a post > mortem. Actually, working on a kernel dump has absolutely nothing to do with suid/sgid-ness, IMHO.. I might be terribly wrong here, but doesn't sgidness come because the utilities must examine the core kernel memory - which is all in the dump file? If working on a dump, do *stat really need access to the memory/symbols of the *running* kernel? G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9:21:35 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8049E37B699 for ; Fri, 2 Feb 2001 09:21:17 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f12HL9h31353; Fri, 2 Feb 2001 12:21:09 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 2 Feb 2001 12:21:08 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Peter Pentchev Cc: Thomas Moestl , freebsd-audit@freebsd.org Subject: Re: patch to remove setgid kmem from top In-Reply-To: <20010202191201.X328@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 2 Feb 2001, Peter Pentchev wrote: > On Fri, Feb 02, 2001 at 12:04:44PM -0500, Robert Watson wrote: > > > > This is great -- I won't have a chance to look in detail at your patches > > for a bit, but it seems that this is a great step forwards. I don't > > suppose you want to now turn your interest to netstat, vmstat, iostat, > > dmesg, nfsstat, pstat, and systat? :-) Much of the information needed in > > many of these is already exported -- in my mind systat is the most > > important as it links against ncurses and provides an interactive > > interface. Also, systat is least likely to suffer from the "but it won't > > work on a kernel dump" syndrome as it is generally not used for a post > > mortem. > > Actually, working on a kernel dump has absolutely nothing to do with > suid/sgid-ness, IMHO.. I might be terribly wrong here, but doesn't > sgidness come because the utilities must examine the core kernel memory > - which is all in the dump file? If working on a dump, do *stat really > need access to the memory/symbols of the *running* kernel? There are two reasons why the current kmem interface for retrieving kernel configuration/statistics is used: 1) Necessary information is not exported using sysctl, ioctl, or other management interfaces. 2) Using the kmem interface allows the same programs to be applied to kernel dumps to allow post-mortem analysis in the same way they work on the live kernel when pointed to /dev/kmem. This is a bit like being able to point gdb at both a dump and /dev/mem. This allows no special case coding to handle one or the other. As tools are migrated to using sysctl() for information retrieval, allowing the setgid kmem bit to be removed, we've found resistance if the tools then lose the ability to be used on dumps for post-mortem. For example, vmstat -m and netstat are both very useful tools for understanding the condition of a kernel at the moment it panicked. The tricky bit is not so much in moving to sysctl(), but allowing the tool to still work on both of them without lots of special-case coding. This is why ps and other tools continue to use the kmem process information interface, even though in practice they don't use kmem, rather sysctl, to retrieve the information. It's ugly, but it's not clear what the right solution is. This use of the same structures for management and internal use in the kernel has caused breakage elsewhere, and is one reason why Kirk recently committed code to distinguish the in-kernel proc structure and one used outside the kernel, so that changes in the in-kernel structure don't break all the management tools. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9:29:11 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 3F2ED37B6A4 for ; Fri, 2 Feb 2001 09:28:50 -0800 (PST) Received: (qmail 17723 invoked by uid 1000); 2 Feb 2001 17:27:13 -0000 Date: Fri, 2 Feb 2001 19:27:13 +0200 From: Peter Pentchev To: Robert Watson Cc: Thomas Moestl , freebsd-audit@freebsd.org Subject: Re: patch to remove setgid kmem from top Message-ID: <20010202192712.Y328@ringworld.oblivion.bg> Mail-Followup-To: Robert Watson , Thomas Moestl , freebsd-audit@freebsd.org References: <20010202191201.X328@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@freebsd.org on Fri, Feb 02, 2001 at 12:21:08PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 02, 2001 at 12:21:08PM -0500, Robert Watson wrote: > > On Fri, 2 Feb 2001, Peter Pentchev wrote: > > > On Fri, Feb 02, 2001 at 12:04:44PM -0500, Robert Watson wrote: > > > > > > This is great -- I won't have a chance to look in detail at your patches > > > for a bit, but it seems that this is a great step forwards. I don't > > > suppose you want to now turn your interest to netstat, vmstat, iostat, > > > dmesg, nfsstat, pstat, and systat? :-) Much of the information needed in > > > many of these is already exported -- in my mind systat is the most > > > important as it links against ncurses and provides an interactive > > > interface. Also, systat is least likely to suffer from the "but it won't > > > work on a kernel dump" syndrome as it is generally not used for a post > > > mortem. > > > > Actually, working on a kernel dump has absolutely nothing to do with > > suid/sgid-ness, IMHO.. I might be terribly wrong here, but doesn't > > sgidness come because the utilities must examine the core kernel memory > > - which is all in the dump file? If working on a dump, do *stat really > > need access to the memory/symbols of the *running* kernel? > > There are two reasons why the current kmem interface for retrieving kernel > configuration/statistics is used: > > 1) Necessary information is not exported using sysctl, ioctl, or other > management interfaces. > > 2) Using the kmem interface allows the same programs to be applied to > kernel dumps to allow post-mortem analysis in the same way they work on > the live kernel when pointed to /dev/kmem. This is a bit like being > able to point gdb at both a dump and /dev/mem. This allows no special > case coding to handle one or the other. > > As tools are migrated to using sysctl() for information retrieval, > allowing the setgid kmem bit to be removed, we've found resistance if the > tools then lose the ability to be used on dumps for post-mortem. For > example, vmstat -m and netstat are both very useful tools for > understanding the condition of a kernel at the moment it panicked. The > tricky bit is not so much in moving to sysctl(), but allowing the tool to > still work on both of them without lots of special-case coding. This is > why ps and other tools continue to use the kmem process information > interface, even though in practice they don't use kmem, rather sysctl, to > retrieve the information. It's ugly, but it's not clear what the right > solution is. This use of the same structures for management and internal > use in the kernel has caused breakage elsewhere, and is one reason why > Kirk recently committed code to distinguish the in-kernel proc structure > and one used outside the kernel, so that changes in the in-kernel > structure don't break all the management tools. I'm aware of all this; I just meant that IF the tools are changed to use sysctl() on the running kernel and libkvm or direct mapping or whatever they're using now on crash dumps, THEN the tools need no longer be setgid. Being setgid has nothing to do with the ability to work on a crashdump, it's all about libkvm access to the running kernel. True, the two are interrelated, inasmuch as if a tool is not setgid anymore, this *most probably* means it only uses sysctl's and cannot work on a crashdump - it does not *necessarily* mean that, though; with special case handling, a non-setgid tool can work on a crash dump just as well :) OK, OK, I'll shut up now - yes, we are saying mostly the same things, and yes, I just had to state my point of view on those very same things once again :) G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9:44:41 2001 Delivered-To: freebsd-audit@freebsd.org Received: from harmony.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 4338D37B69F; Fri, 2 Feb 2001 09:44:23 -0800 (PST) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.1/8.11.1) with ESMTP id f12HiL945711; Fri, 2 Feb 2001 10:44:22 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200102021744.f12HiL945711@harmony.village.org> To: Robert Watson Subject: Re: patch to remove setgid kmem from top Cc: Peter Pentchev , Thomas Moestl , freebsd-audit@FreeBSD.ORG In-reply-to: Your message of "Fri, 02 Feb 2001 12:21:08 EST." References: Date: Fri, 02 Feb 2001 10:44:21 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message Robert Watson writes: : As tools are migrated to using sysctl() for information retrieval, : allowing the setgid kmem bit to be removed, we've found resistance if the : tools then lose the ability to be used on dumps for post-mortem. Maybe we need to "support" an interface that is like sysctl, but that can get information out of vmcore.1 instead of the kernel. It would have to know the guts of how sysctl is implemented and it couldn't support "function call" sysctls. Then again, maybe I misunderstand how certain sysctls work, or don't realize that there are too many "function call" sysctls out there. Most of the ones I've ever dealt with were "just set the variable in the code" sorts. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9:45:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.gmx.net (sproxy.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id E0BA737B699 for ; Fri, 2 Feb 2001 09:45:34 -0800 (PST) Received: (qmail 25899 invoked by uid 0); 2 Feb 2001 17:44:50 -0000 Received: from p3e9c2f5a.dip.t-dialin.net (HELO forge.local) (62.156.47.90) by mail.gmx.net (mp001-rz3) with SMTP; 2 Feb 2001 17:44:50 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14OkGK-0000l0-00; Fri, 02 Feb 2001 18:44:44 +0100 Date: Fri, 2 Feb 2001 18:44:44 +0100 From: Thomas Moestl To: Robert Watson Cc: freebsd-audit@freebsd.org Subject: Re: patch to remove setgid kmem from top Message-ID: <20010202184444.A2902@crow.dom2ip.de> Mail-Followup-To: Thomas Moestl , Robert Watson , freebsd-audit@freebsd.org References: <20010202015844.A1246@crow.dom2ip.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@freebsd.org on Fri, Feb 02, 2001 at 12:04:44PM -0500 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 02, 2001 at 12:04:44PM -0500, Robert Watson wrote: > This is great -- I won't have a chance to look in detail at your patches > for a bit, but it seems that this is a great step forwards. I don't > suppose you want to now turn your interest to netstat, vmstat, iostat, > dmesg, nfsstat, pstat, and systat? :-) Much of the information needed in > many of these is already exported -- in my mind systat is the most > important as it links against ncurses and provides an interactive > interface. Also, systat is least likely to suffer from the "but it won't > work on a kernel dump" syndrome as it is generally not used for a post > mortem. Actually, I want to take care of the remaining setgid kmem programs. As you proposed, my next victim will probably be systat, as it has only 7 remaining kvm_read calls in two files (plus kvm_getswapinfo, which I had already patched for top to no longer need kmem access for live kernels). - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 9:47:30 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id AD7EB37B6A3 for ; Fri, 2 Feb 2001 09:47:12 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f12Hl8h31630; Fri, 2 Feb 2001 12:47:08 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 2 Feb 2001 12:47:08 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Peter Pentchev Cc: Thomas Moestl , freebsd-audit@freebsd.org Subject: Re: patch to remove setgid kmem from top In-Reply-To: <20010202192712.Y328@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 2 Feb 2001, Peter Pentchev wrote: > OK, OK, I'll shut up now - yes, we are saying mostly the same things, > and yes, I just had to state my point of view on those very same things > once again :) Yes, I recommend we flame each other substantially as we violently agree with one another. :-) Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Feb 2 10:16:46 2001 Delivered-To: freebsd-audit@freebsd.org Received: from harmony.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 0D6CC37B6EA; Fri, 2 Feb 2001 10:16:27 -0800 (PST) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.1/8.11.1) with ESMTP id f12IGQ945948; Fri, 2 Feb 2001 11:16:26 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200102021816.f12IGQ945948@harmony.village.org> To: Robert Watson Subject: Re: patch to remove setgid kmem from top Cc: Peter Pentchev , Thomas Moestl , freebsd-audit@FreeBSD.ORG In-reply-to: Your message of "Fri, 02 Feb 2001 12:47:08 EST." References: Date: Fri, 02 Feb 2001 11:16:26 -0700 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message Robert Watson writes: : On Fri, 2 Feb 2001, Peter Pentchev wrote: : : > OK, OK, I'll shut up now - yes, we are saying mostly the same things, : > and yes, I just had to state my point of view on those very same things : > once again :) : : Yes, I recommend we flame each other substantially as we violently agree : with one another. :-) Ah come on guys. This thread is lacking in the bitter acrimony that we all enjoy watching. Get with the program :-) Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message