From owner-cvs-src@FreeBSD.ORG Sat May 8 11:15:59 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0794B16A4CE; Sat, 8 May 2004 11:15:59 -0700 (PDT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 845BA43D53; Sat, 8 May 2004 11:15:57 -0700 (PDT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id B7DE2ACAFB; Sat, 8 May 2004 20:15:54 +0200 (CEST) Date: Sat, 8 May 2004 20:15:54 +0200 From: Pawel Jakub Dawidek To: Darren Reed Message-ID: <20040508181554.GG24376@darkness.comp.waw.pl> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <20040506185854.GB1777@madman.celabo.org> <20040507072031.GA48708@hub.freebsd.org> <200405070755.36055.sam@errno.com> <20040508152531.GA96827@hub.freebsd.org> <20040508155249.GB96827@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MIh0bEfVBykExQEj" Content-Disposition: inline In-Reply-To: <20040508155249.GB96827@hub.freebsd.org> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 May 2004 18:15:59 -0000 --MIh0bEfVBykExQEj Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 08, 2004 at 08:52:49AM -0700, Darren Reed wrote: +> Then again, if the rationale for having these sysctl's is because +> we don't trust those code paths then: +> a) why don't we audit or do walk throughs or code inspections +> to fix this; +> b) why don't we add sysctl's to disable all code paths that we +> have similar doubts about elsewhere in the kernel. +>=20 +> Doing (b) is just stupid but if there are real concerns then there +> is a lot more to gain by doing (a) than adding these sysctl's as a +> defence mechanism. It isn't stupid and we do it in this way if functionality _could be_ insecure and it is only used by _a few_ (if anyone). Check: - vfs.usermount, - net.inet.ip.sourceroute (!!), - security.jail.socket_unixiproute_only, - security.jail.sysvipc_allowed, - security.jail.getfsstate_getfsstatroot_only, - security.bsd.unprivileged_get_quota. Probably much more and more that I'll be happier if I see them turned on by default: - security.bsd.unprivileged_read_msgbuf, - security.bsd.hardlink_check_uid, - security.bsd.hardlink_check_gid. +> [...] Doing (a) leads to real security. What this +> patch provides, does not. No, you are wrong. It leads to better security, that's all. How many times OpenSSH was auditted? The best thing you can do is to block all not needed functionality, for me, even capabilities aren't the answer, that's why I coded CerbNG, that's why I like systrace. And this change I like, because I don't have to load whole firewall only for this (I agree here with Sam) and this code isn't complex - it is worth it. Just like in life:) You have to balance things all the time, here: introduced complexity and risk with introduced benefits and security (how much complexity it removes if it becomes the default?). It has my vote. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --MIh0bEfVBykExQEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAnSPaForvXbEpPzQRAmgCAKCvtiUn26gCjw7YenXoso01aW1rqQCg2D/z 0wMB7YatsLCLonChUTsPZMs= =GXIw -----END PGP SIGNATURE----- --MIh0bEfVBykExQEj--