startup error for pflogd

Max Laier max at
Mon Jun 21 14:42:21 GMT 2004

On Monday 21 June 2004 10:57, Michael Reifenberger wrote:
> Hi,
> as it seems is pflogd requiring an user "_pflogd" to work which is not
> installed by default under FreeBSD.

Oh, I knew I forgot something :-\

> As it seems is OpenBSD aggressivly using "_<service>" users.
> Is this something we should follow?

I'll try to explain the reasoning behind this. If there are a zillion 
processes all owned by nobody:nogroup and an attacker manages to obtain 
control over one of them, the rest might be easy/easier prey. The evildoer 
will have better chances to obtain critical resources and maybe root in the 

This might seem like OpenBSD/paranoia, but my opinion on it is: It's done so 
why not port it over? It also helps to keep the diff down (which means less 

If there is no resistance against "yet another user", I will add _pflogd.

On a related note: OpenBSD also introduced an ioctl to lock a bpf-descriptor, 
thus making it less valueable for a possible attacker. This is a sane thing 
for longrunning processes such as IDS or pflog and I am wondering if we 
should port it. It's a simple enough thing and I will post diffs on -net 

Best regards,				| mlaier at
Max Laier				| ICQ #67774661	| mlaier at EFnet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url :

More information about the freebsd-current mailing list