[Testers wanted] /dev/console cleanups
Jeremy Chadwick
koitsu at freebsd.org
Wed Nov 19 23:08:23 PST 2008
On Thu, Nov 20, 2008 at 05:39:36PM +1100, Peter Jeremy wrote:
> On 2008-Nov-19 02:47:31 -0800, Jeremy Chadwick <koitsu at freebsd.org> wrote:
> >There's a known "issue" with the kernel message buffer though: it's not
> >NULL'd out upon reboot.
>
> This is deliberate. If the system panics, stuff that was in the
> message buffer (and might not be on disk) can be read when the system
> reboots. If there is no crashdump, this might be the only record of
> what happened.
That doesn't sound deliberate at all -- it sounds like a quirk that
people (you?) are relying on. I do not think any piece of the FreeBSD
system (e.g. savecore, etc.) relies on this behaviour.
You're under the mentality that the information is *always* available
after a panic/reboot -- it isn't. I have 4 different Supermicro
motherboards (all from different years) which will "most of the time"
lose the msgbuf after rebooting from single-user -- but sometimes the
msgbuf is retained. And no, bad hardware is not responsible for the
randomness of the problem.
I think it's been discussed in the past how/why this can happen. It has
to do with what each BIOS manufacturer chooses to do with some parts of
memory during start-up. I'm sure the "Quick Boot" (e.g. no extensive
memory test, which really doesn't test anything these days) option plays
a role, and that option is enabled by default on all motherboards I've
used in the past 10 years.
> > Meaning, in some cases (depends on the BIOS or
> >system), the kernel message buffer from single-user mode is retained
> >even after a reboot! A user can then do "dmesg" and see all the nifty
> >stuff you've done during single-user, which could include unencrypted
> >passwords if mergemaster was tinkering with passwd/master.passwd, etc..
>
> There shouldn't be unencrypted passwords, though there might be encrypted
> passwords visible.
Sorry, that's what I meant.
The point is that a lot of things can go on in single-user mode which
can/will disclose information or data in files which users do not have
access to. Once the system is rebooted, a non-root user can do "dmesg
-a" and see this buffer, getting access to data he/she normally does not
have access to.
Do you and I agree that this is in fact a security risk/problem?
> >Rink Springer created a patch where the kernel message buffer will start
> >with NULL to keep this from happening, but it needs to be made into a
> >loader.conf tunable.
>
> I hope that never gets committed - it will make debugging kernel
> problems much harder. There is already a kern.msgbuf_clear sysctl and
> maybe people who are concerned about msgbuf leakage need to learn to
> use it.
And this sysctl is only usable *after* the kernel loads, which means
you lose all of the messages shown from the time the kernel loads to
the time the sysctl is set (e.g. hardware detected/configured). This is
even less acceptable, IMHO.
I would like to see Rink's patch committed, as long as the loader
tunable defaults to *off* (e.g. current/historic behaviour). I'll also
ask Rink to chime in here with his thoughts/opinions.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-hackers
mailing list