startup error for pflogd
Max Laier
max at love2party.net
Mon Jun 21 14:42:21 GMT 2004
On Monday 21 June 2004 10:57, Michael Reifenberger wrote:
> Hi,
> as it seems is pflogd requiring an user "_pflogd" to work which is not
> installed by default under FreeBSD.
Oh, I knew I forgot something :-\
> As it seems is OpenBSD aggressivly using "_<service>" users.
> Is this something we should follow?
I'll try to explain the reasoning behind this. If there are a zillion
processes all owned by nobody:nogroup and an attacker manages to obtain
control over one of them, the rest might be easy/easier prey. The evildoer
will have better chances to obtain critical resources and maybe root in the
end.
This might seem like OpenBSD/paranoia, but my opinion on it is: It's done so
why not port it over? It also helps to keep the diff down (which means less
work).
If there is no resistance against "yet another user", I will add _pflogd.
On a related note: OpenBSD also introduced an ioctl to lock a bpf-descriptor,
thus making it less valueable for a possible attacker. This is a sane thing
for longrunning processes such as IDS or pflog and I am wondering if we
should port it. It's a simple enough thing and I will post diffs on -net
later.
--
Best regards, | mlaier at freebsd.org
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier at EFnet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040621/aa16541b/attachment.bin
More information about the freebsd-current
mailing list