svn commit: r314036 - head/usr.sbin/bsdinstall/scripts

John Baldwin jhb at freebsd.org
Wed Feb 22 17:35:35 UTC 2017 

On Wednesday, February 22, 2017 07:52:45 AM Bartłomiej Rutkowski wrote:
> On Tue, Feb 21, 2017 at 2:34 PM, Eric Badger <badger at freebsd.org> wrote:
> 
> > On 02/21/2017 03:37 AM, Bartek Rutkowski wrote:
> >
> >> Author: robak (ports committer)
> >> Date: Tue Feb 21 09:37:33 2017
> >> New Revision: 314036
> >> URL: https://svnweb.freebsd.org/changeset/base/314036
> >>
> >> Log:
> >>   Enable bsdinstall hardening options by default.
> >>
> >>   As discussed previously, in order to introduce new OS hardening
> >>   defaults, we've added them to bsdinstall in 'off by default' mode.
> >>   It has been there for a while, so the next step is to change them
> >>   to 'on by defaul' mode, so that in future we could simply enable
> >>   them in base OS.
> >>
> >>   Reviewed by:  brd
> >>   Approved by:  adrian
> >>   Differential Revision:        https://reviews.freebsd.org/D9641
> >>
> >> Modified:
> >>   head/usr.sbin/bsdinstall/scripts/hardening
> >>
> >> Modified: head/usr.sbin/bsdinstall/scripts/hardening
> >> ============================================================
> >> ==================
> >> --- head/usr.sbin/bsdinstall/scripts/hardening  Tue Feb 21 09:33:21
> >> 2017        (r314035)
> >> +++ head/usr.sbin/bsdinstall/scripts/hardening  Tue Feb 21 09:37:33
> >> 2017        (r314036)
> >> @@ -36,15 +36,15 @@ FEATURES=$( dialog --backtitle "FreeBSD
> >>      --title "System Hardening" --nocancel --separate-output \
> >>      --checklist "Choose system security hardening options:" \
> >>      0 0 0 \
> >> -       "0 hide_uids" "Hide processes running as other users"
> >> ${hide_uids:-off} \
> >> -       "1 hide_gids" "Hide processes running as other groups"
> >> ${hide_gids:-off} \
> >> -       "2 read_msgbuf" "Disable reading kernel message buffer for
> >> unprivileged users" ${read_msgbuf:-off} \
> >> -       "3 proc_debug" "Disable process debugging facilities for
> >> unprivileged users" ${proc_debug:-off} \
> >> -       "4 random_pid" "Randomize the PID of newly created processes"
> >> ${random_pid:-off} \
> >> -       "5 stack_guard" "Insert stack guard page ahead of the growable
> >> segments" ${stack_guard:-off} \
> >> -       "6 clear_tmp" "Clean the /tmp filesystem on system startup"
> >> ${clear_tmp:-off} \
> >> -       "7 disable_syslogd" "Disable opening Syslogd network socket
> >> (disables remote logging)" ${disable_syslogd:-off} \
> >> -       "8 disable_sendmail" "Disable Sendmail service"
> >> ${disable_sendmail:-off} \
> >> +       "0 hide_uids" "Hide processes running as other users"
> >> ${hide_uids:-on} \
> >> +       "1 hide_gids" "Hide processes running as other groups"
> >> ${hide_gids:-on} \
> >> +       "2 read_msgbuf" "Disable reading kernel message buffer for
> >> unprivileged users" ${read_msgbuf:-on} \
> >> +       "3 proc_debug" "Disable process debugging facilities for
> >> unprivileged users" ${proc_debug:-on} \
> >> +       "4 random_pid" "Randomize the PID of newly created processes"
> >> ${random_pid:-on} \
> >> +       "5 stack_guard" "Insert stack guard page ahead of the growable
> >> segments" ${stack_guard:-on} \
> >> +       "6 clear_tmp" "Clean the /tmp filesystem on system startup"
> >> ${clear_tmp:-on} \
> >> +       "7 disable_syslogd" "Disable opening Syslogd network socket
> >> (disables remote logging)" ${disable_syslogd:-on} \
> >> +       "8 disable_sendmail" "Disable Sendmail service"
> >> ${disable_sendmail:-on} \
> >>  2>&1 1>&3 )
> >>  exec 3>&-
> >>
> >>
> >>
> > Hi Bartek,
> >
> > Thanks for working on making it easier to harden FreeBSD. While defaulting
> > some of these options to "on" seem pretty harmless (e.g. random_pid),
> > others are likely to cause confusion for new and experienced users alike
> > (e.g. proc_debug. I've never used that option before, so I gave it a try.
> > It simply causes gdb to hang when attempting to start a process, with no
> > obvious indication of why). I think more discussion is merited before they
> > are turned on by default; personally I think they have potential to sour a
> > first impression of FreeBSD by making things people are used to doing on
> > other OSes hard.
> 
> 
> The audience of these changes is not someone like you, who's using gdb
> daily. The audience is the new users who often don't know what they're
> doing, why they're doing that and how to do differently, especially when it
> comes to the security. Power users in most cases don't use bsdinstall to
> install their systems, they use automation of some sort to fine tune the OS
> exactly to their needs and use case, and in their case this change is
> transparent and doesn't affect them. What it affects is the default FreeBSD
> installation and our poor track record of default installation security and
> great track record for not changing and improving things just becuase
> they've been like that for past decade.

Please don't turn FreeBSD into a system that is a pain to develop on.  For my
undergrad students who do their work in Linux VMs I have multiple times ended
up unable to find a core dump in Ubuntu because of it's weird core dump
setup.

One of my assignments is to write a simple shell that forks off new processes
to call exec and you can't debug that out of the box on OS X either (gdb
can't start new processes without mucking with a security setting and then
rebooting, and lldb doesn't have the required functionality of following
forks).

Right now FreeBSD is actually the most usable of the three systems for this
sort of thing.  I think disabling proc_debug by default will be a similar
PITA much as Ubuntu.

-- 
John Baldwin

More information about the svn-src-all mailing list