cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h

Pawel Jakub Dawidek pjd at FreeBSD.org
Sat May 8 11:15:59 PDT 2004 

On Sat, May 08, 2004 at 08:52:49AM -0700, Darren Reed wrote:
+> Then again, if the rationale for having these sysctl's is because
+> we don't trust those code paths then:
+> a) why don't we audit or do walk throughs or code inspections
+>    to fix this;
+> b) why don't we add sysctl's to disable all code paths that we
+>    have similar doubts about elsewhere in the kernel.
+> 
+> Doing (b) is just stupid but if there are real concerns then there
+> is a lot more to gain by doing (a) than adding these sysctl's as a
+> defence mechanism.

It isn't stupid and we do it in this way if functionality _could be_
insecure and it is only used by _a few_ (if anyone).
Check:
	- vfs.usermount,
	- net.inet.ip.sourceroute (!!),
	- security.jail.socket_unixiproute_only,
	- security.jail.sysvipc_allowed,
	- security.jail.getfsstate_getfsstatroot_only,
	- security.bsd.unprivileged_get_quota.

Probably much more and more that I'll be happier if I see them
turned on by default:
	- security.bsd.unprivileged_read_msgbuf,
	- security.bsd.hardlink_check_uid,
	- security.bsd.hardlink_check_gid.

+> [...]  Doing (a) leads to real security.  What this
+> patch provides, does not.

No, you are wrong. It leads to better security, that's all.
How many times OpenSSH was auditted? The best thing you can do
is to block all not needed functionality, for me, even capabilities
aren't the answer, that's why I coded CerbNG, that's why I like
systrace. And this change I like, because I don't have to load
whole firewall only for this (I agree here with Sam) and this
code isn't complex - it is worth it. Just like in life:)
You have to balance things all the time, here: introduced complexity
and risk with introduced benefits and security (how much complexity
it removes if it becomes the default?). It has my vote.

-- 
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd at FreeBSD.org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20040508/0a045709/attachment.bin

More information about the cvs-src mailing list