From owner-freebsd-ipfw  Tue Jul 27 10:18:34 1999
Delivered-To: freebsd-ipfw@freebsd.org
Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7729214E10; Tue, 27 Jul 1999 10:18:27 -0700 (PDT)
	(envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id LAA15551;
	Tue, 27 Jul 1999 11:18:03 -0600 (MDT)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id LAA25910; Tue, 27 Jul 1999 11:18:02 -0600
Date: Tue, 27 Jul 1999 11:18:02 -0600
Message-Id: <199907271718.LAA25910@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: "Brian F. Feldman" <green@FreeBSD.ORG>,
	Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG,
	freebsd-ipfw@FreeBSD.ORG
Subject: Re: securelevel and ipfw zero
In-Reply-To: <199907270348.UAA49943@apollo.backplane.com>
References: <Pine.BSF.4.10.9907262322120.35843-100000@janus.syracuse.net>
	<199907270348.UAA49943@apollo.backplane.com>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

>     ipfw allows you to clear counters.  It is a feature that already exists.
> 
>     However, it does not allow you to do it if you are sitting at secure
>     level 3.
> 
>     Why not?  I can't think of any good reason why clearing the counters 
>     should be disallowed when sitting at a higher secure level.  The counters
>     are nothing more then statistics.  Clearing statistics is not a security
>     threat.

I just thought of a bad thing.  If you allowed the counters to be zero'd
(or advanced) at securelevel == 3, then a 'malicious user' could write a
cronjob to continually reset them and cause a DoS attack on the system
(or in the case of advance, reset them to ridiculously high values),
thus filling up the disk.

However, one could argue that *IF* they have root, they could just as
easily fill the disk with garbage and cause the same attack, ie;

# dd if=/dev/zero of=/var/log/misc

>     The discussion should simply be about that.  Not all this garbage
>     about adding new features.  There's a feature that does not seem
>     to impact security, secure level disallows it, why?

I'm not convinced there aren't other security implications from zero'ing
(or advancing) the counters.


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message