svn commit: r314036 - head/usr.sbin/bsdinstall/scripts
Bartłomiej Rutkowski
robak at freebsd.org
Wed Feb 22 07:49:21 UTC 2017
On Wed, Feb 22, 2017 at 7:07 AM, Joel Dahl <joel at vnode.se> wrote:
> On Tue, Feb 21, 2017 at 02:40:02PM +0000, Alexey Dokuchaev wrote:
> > On Tue, Feb 21, 2017 at 08:34:29AM -0600, Eric Badger wrote:
> > > Thanks for working on making it easier to harden FreeBSD. While
> > > defaulting some of these options to "on" seem pretty harmless (e.g.
> > > random_pid), others are likely to cause confusion for new and
> > > experienced users alike (e.g. proc_debug. I've never used that option
> > > before, so I gave it a try. It simply causes gdb to hang when
> attempting
> > > to start a process, with no obvious indication of why).
> >
> > I concur. In fact, harmless knobs should probably be turned on by
> default
> > in FreeBSD itself (i.e., without any "hardening" help from the
> installer),
> > while more intrusive ones should be opt-in, not opt-out.
>
> I agree. Can we back this out and discuss it on current@?
>
With all due respect, I would rather not. The only reason is that it's been
discussed so many times over the years and neither of the discussion ended
up in anything improving the security of the OS and this is exactly why I
took the action and started introducing the hardening options to the
bsdinstall. Mind, you can always disable them, they won't be enabled in
base OS for a while and this is the best way to assert wether they do have
any negative impact. They've been around as OFF by default since 11.0-R and
so far no one complained.
Kind regards,
Bartek Rutkowski
More information about the svn-src-head
mailing list