Date: Mon, 21 Jun 2004 16:39:10 +0200 From: Max Laier <max@love2party.net> To: freebsd-current@freebsd.org Cc: Michael Reifenberger <mike@Reifenberger.com> Subject: Re: startup error for pflogd Message-ID: <200406211639.22243.max@love2party.net> In-Reply-To: <20040621105114.G9108@fw.reifenberger.com> References: <20040620134437.P94503@fw.reifenberger.com> <20040620230350.O1720@fw.reifenberger.com> <20040621105114.G9108@fw.reifenberger.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_aMv1AXkPYyr+Yg8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 21 June 2004 10:57, Michael Reifenberger wrote: > Hi, > as it seems is pflogd requiring an user "_pflogd" to work which is not > installed by default under FreeBSD. Oh, I knew I forgot something :-\ > As it seems is OpenBSD aggressivly using "_<service>" users. > Is this something we should follow? I'll try to explain the reasoning behind this. If there are a zillion=20 processes all owned by nobody:nogroup and an attacker manages to obtain=20 control over one of them, the rest might be easy/easier prey. The evildoer= =20 will have better chances to obtain critical resources and maybe root in the= =20 end. This might seem like OpenBSD/paranoia, but my opinion on it is: It's done s= o=20 why not port it over? It also helps to keep the diff down (which means less= =20 work). If there is no resistance against "yet another user", I will add _pflogd. On a related note: OpenBSD also introduced an ioctl to lock a bpf-descripto= r,=20 thus making it less valueable for a possible attacker. This is a sane thing= =20 for longrunning processes such as IDS or pflog and I am wondering if we=20 should port it. It's a simple enough thing and I will post diffs on -net=20 later. =2D-=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --Boundary-02=_aMv1AXkPYyr+Yg8 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBA1vMaXyyEoT62BG0RAhwQAJ9tpTMiIg/lbBjyDZAuQlP6zIJEKwCfdBDD 662bq9gi9yz511ZKnbEhOg8= =RRiU -----END PGP SIGNATURE----- --Boundary-02=_aMv1AXkPYyr+Yg8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406211639.22243.max>