Re: What is "negative group permissions"? (Re: narawntapu security run output)
Mikhail T. aldan.algebra.com> writes: > > On 23.12.2012 11:48, Chris Rees wrote: > > They involve a lot of thought to get right, as well as chmod g-w on > > something where you probably meant chmod go-w is a disastrous but > > (perhaps) common error. Chris > > Well, in (over 20) years of dealing with Unix, I've never made a mistake > like that, nor do I understand, how it can be considered "common" ... > Got to admit, I was surprised to see it. It made me think, I do not > understand something -- or that FreeBSD is becoming overly > paternalistic. It turned out to be the latter... > > I doubt, it is useful. Worse, issuing such warnings routinely, only > reinforces the unfortunate misconceptions like the one Barney > demonstrated in this thread. When originally added, the check was meant > to be off by default: > ... > perhaps, it should have remained off? Yours, Those security checks are for a reason - people make mistakes (even a perfect guy like you will have a "head in a brown bag" time). It is better to get a heads-up, then think about it and turn it off (customize) if considered unneeded. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Will we get a RELEASE-9.1 for Christmas?
CeDeROM tlen.pl> writes: > ... > Was also true for me to crash the 9.0 system with dependencies > inconsistency after some time. But! Try 9.1-RC3 and use PORTINSTALL > ... The reason I abandoned 9.1-RC? was the security update statement that "It is believed that the compromise may have occurred as early as the 19th September 2012." I looked at 9.1 release schedule and saw this: Action Expected Actual RC1 2012-07-20 2012-08-23 RC2 2012-09-07 2012-10-09 ... and decided to drop the ball, go back to 9.0 and bring myself up from there. The result was as described. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Will we get a RELEASE-9.1 for Christmas?
Brett Glass lariat.net> writes: > > Just checking in, yet again, to ask about the status of FreeBSD > 9.1. We've been delaying construction of new servers (which we > wanted to build during the US Thanksgiving holiday) until the > release, and really want to be able to work on them over Christmas. > I understand that the release was held back by server security > issues and possibly by problems with CLANG's failure to emulate > obscure quirks of GCC; are these now resolved? Is there anything > else on the "TODO" list (the version on the Wiki is of no help; > it's woefully out of date) to be done prior to release? Does the > FreeBSD project need a fresh server to be donated to handle the release? > > --Brett Glass A few days ago I installed 9.0 and tested twice: - updating security/errata - updating ports tree with portsnap - setting up the system for Linux, Java, browsers (as in Handbook) - and then from ports to make work the usual suspects: cdrecord, smartmontools It all seems to be OK until, after many subsequent ports tree updates, I decided to update xterm, vlc, xfce, pan from ports. If I managed to update some of them, then it seemed the dependencies hell or something else started to take effect and I could not finish building them because they were dying with errors. I have done such an exercise in the past many times and I never failed to bring my system to a stable state. Only after this security compromise, time wise, things were so unstable. I understand that releng people will build all packages once more right before 9.1 release, but perhaps caution is warranted - would 9.1-RC4 make sense ? jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: freebsd-update and sources of 9.1-RC3
Bas Smeelen ose.nl> writes:
> ...
> >> Since freebsd-update is meant to update the system I don't really see a
> >> point to make it install sources (or others things) if they are not
> >> present on the system being updated.
> ...
> > But, you brought up that "StrictComponents yes" option and we have to figure
> > out what it means ...
>
> From looking at the freebsd-update script (it's in /usr/sbin) I
> understand when StrictComponents is set to yes it skips the step,
> inspecting system and uses the list provided in freebsd-update.conf,
> so this option might save some time and disk activity.
But then, after I removed /usr/src dir, it re-created it for itself just to
create in there that ../release sub-dir with some documents, which looked
useless to me, not to mention the fact that it attempted to install there some
20 or so other docs, but could not and failed with errors (see my test run
output in earlier post).
So, to me that is already a reason to ask the maintainer to look at it as it
is an important utility.
> I don't fully understand what the impact might be when running a custom
> kernel.
When I had src present (by my download) prior to freebsd-update upgrade,
without custom kernel, without that "override" option ("StrictComponents no"),
I got src updated in various places, in particular the file
/usr/src/sys/conf/newvers.sh, which is OK.
If you had a custom kernel and src present, then src would get updated as
above, and your custom kernel would be gone, but you would be asked to rebuild
your kernel manually. So, it would be convinient for you to have src ready,
by manual download or "override" option ("StrictComponents yes").
> ...
> > # When upgrading between releases, should the list of Components be
> > # read strictly (StrictComponents yes) or merely as a list of components
> > # which *might* be installed of which FreeBSD Update should figure out
> > # which actually are installed and upgrade those (StrictComponents no)?
> > # StrictComponents no
> >
> > The components are:
> > Components src world kernel
> >
> > Then what gives ? Does it not apply to src component ?
When I looked at this "override" option, which is per default disabled, which
is perfectly OK for most users, I understood it as not only saving some time
on verification of current system state, but a real option to request full
update of my system for components specified. This would make e.g. src download
needed first time, but if that is what I wanted, it would be configurable and
make sense for me and other people like the OP who actually expected it.
It would make this utility fully functional, not half-baked like it is right
now.
jb
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: freebsd-update and sources of 9.1-RC3
Bas Smeelen ose.nl> writes: > ... > To file a PR it will require some work to find out exactly what the PR > should be about. > Since freebsd-update is meant to update the system I don't really see a > point to make it install sources (or others things) if they are not > present on the system being updated. > ... Well, that proves my earlier point. But, you brought up that "StrictComponents yes" option and we have to figure out what it means ... # When upgrading between releases, should the list of Components be # read strictly (StrictComponents yes) or merely as a list of components # which *might* be installed of which FreeBSD Update should figure out # which actually are installed and upgrade those (StrictComponents no)? # StrictComponents no The components are: Components src world kernel Then what gives ? Does it not apply to src component ? jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: freebsd-update and sources of 9.1-RC3
Bas Smeelen ose.nl> writes: > ... > Can't this be accomplished by setting > StrictComponents yes > in /etc/freebsd-update.conf ? > > Then feebsd-update does not try to figure out the components to update > by itself, but updates the components mentioned in > Components src world kernel > > I didn't try what happens if no source is installed. Good shot, that could be the "override" option ... I did the test and it did not work out for me. # cat /etc/freebsd-update.conf ... Components src world kernel ... StrictComponents yes ... # # freebsd-update rollback # shutdown -r now # rm -rf /usr/src/ # freebsd-update upgrade -r 9.1-RC3 Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 9.1-RC2 from update4.FreeBSD.org... done. Fetching metadata index... done. Fetching 1 metadata patches. done. Applying metadata patches... done. Fetching 1 metadata files... done. Fetching metadata signature for 9.1-RC3 from update4.FreeBSD.org... done. Fetching metadata index... done. Fetching 1 metadata patches. done. Applying metadata patches... done. Fetching 1 metadata files... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to 9.1-RC3-p0: /usr/src/release/doc/de_DE.ISO8859-1/early-adopter/article.xml ... The following files will be updated as part of updating to 9.1-RC3-p0: /boot/kernel/hpt27xx.ko /boot/kernel/kernel ... To install the downloaded upgrades, run "/usr/sbin/freebsd-update install". # # freebsd-update install Installing updates... Kernel updates have been installed. Please reboot and run "/usr/sbin/freebsd-update install" again to finish installing updates. # # shutdown -r now # freebsd-update install Installing updates...install: ///usr/src/release/doc/de_DE.ISO8859-1/early-adopt er/article.xml: No such file or directory ... # # ls -al /usr/src/ total 12 drwxr-xr-x 3 root wheel 512 Nov 4 10:17 . drwxr-xr-x 16 root wheel 512 Nov 4 10:17 .. drwxr-xr-x 3 root wheel 512 Nov 4 10:17 release # ls -al /usr/src/release/doc/ total 36 drwxr-xr-x 9 root wheel 512 Nov 4 10:17 . drwxr-xr-x 3 root wheel 512 Nov 4 10:17 .. drwxr-xr-x 3 root wheel 512 Nov 4 10:17 de_DE.ISO8859-1 drwxr-xr-x 3 root wheel 512 Nov 4 10:17 en_US.ISO8859-1 drwxr-xr-x 3 root wheel 512 Nov 4 10:17 fr_FR.ISO8859-1 drwxr-xr-x 3 root wheel 512 Nov 4 10:17 ja_JP.eucJP drwxr-xr-x 3 root wheel 512 Nov 4 10:17 ru_RU.KOI8-R drwxr-xr-x 3 root wheel 512 Nov 4 10:17 share drwxr-xr-x 3 root wheel 512 Nov 4 10:17 zh_CN.GB2312 # ls -al /usr/src/release/doc/de_DE.ISO8859-1/ total 12 drwxr-xr-x 3 root wheel 512 Nov 4 10:17 . drwxr-xr-x 9 root wheel 512 Nov 4 10:17 .. drwxr-xr-x 3 root wheel 512 Nov 4 10:17 share # # shutdown -r now # uname -a FreeBSD localhost.localdomain 9.1-RC3 FreeBSD 9.1-RC3 #0 r242324: Tue Oct 30 00: 18:27 UTC 2012 r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i38 6 No luck. Should we file a PR# (there are some error msgs anyway) ? jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: SU+J on 9.1-RC2 ISO
Zoran Kolic sbb.rs> writes: > > I still use 8 and plan to install branch 9 on new laptop > with ssd. If journaling comes as default on 9.1, I plan to > accept defaults on partitioning and use tunefs to remove it > with -h disable. Any idea what steps should I take for that? > As far as I read, journaling uses it's own partitions. Do > I have to remove them, resize them? Branch 8 had option to > choose su and j during install. > I tried to find proper tutorials/manuals, but lacked to re- > solve it in my head. > Best regards all If you manage to disable it during install configuration (shell access) but before actual system installation, there is nothing else to do. If you install a partition with su+j, then as tunefs(8) says, you have to have your partition unmounted or ro to disable "J". But before doing that, you should run 'fsck' on that partition to have (select) journal played itself empty. Btw, any "J" partition has .sujournal file, e.g. # ls -al /.sujournal You can get rid of it then. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: freebsd-update and sources of 9.1-RC3
Eugene Grosbein grosbein.net> writes: > ... > My real question is how make freebsd-update download sources they are not > installed? I am not 110% sure, but you can not. When freebsd-update runs, it checks its config file /etc/freebsd-update.conf and then takes inventory of your system (that's why it is called "update", and that's why you do not get new src set). FREEBSD-UPDATE(8) does not give any "override" option. So, here you are. But next time (assuming you keep your src) you will be fine. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: freebsd-update and surces of 9.1-RC3
Eugene Grosbein grosbein.net> writes: > > Hi! > > I'm trying to use freebsd-update for first time. > I have 9.0-RELEASE installed without sources and I have read Handbook chapter > and manual page for freebsd-update. > ... > How do I make freebsd-update to download and install sources > for 9.1-RC3 so I could rebuild custom kernel? > ... You did not get src updated because you did not have it before. Because there was no official announcement, I can give you a link (similar to one for -RC2), from which you can get the sources src.txz: ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/9.1-RC3/ Be sure to check download's signature in MANIFEST file. After that: - make backup of anything you got in /usr/src, and remove that dir # rm -rf /usr/src - unpack downloaded file locally into /usr/src dir (that destination dir is a default) jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: tmpfs nfs exports?
Alfred Perlstein mu.org> writes: > > Hey folks, any reason why not to include the following patch in 9.1? It > would be nice to have tmpfs be exportable. > > I'm good to commit it, I can also wait until post 9.1. > ... How do you identify tmpfs ? With fsid ? Since nfs server is stateless, are these exports identical ? export /tmp, reboot, export /tmp What about /tmp on tmpfs ? export /tmp, reboot, export /tmp jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: The shutdown bug?
Per olof Ljungmark intersonic.se> writes: > ... > Setting sysctl hw.usb.no_shutdown_wait=1 does NOT fix the problem as > described in > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/167685 > ... There is another one: http://www.freebsd.org/cgi/query-pr.cgi?pr=172952&cat= jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: 9.1-RC2 - could it be that the installer does not write the MBR?
jb gmail.com> writes: > ... > I installed RC2 yesterday and noticed that there was no question asked where > to install boot loader (MBR or FB root slice/partition). > That's something needing a fix. > jb I filed a PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/172847 jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: 9.1-RC2 - could it be that the installer does not write the MBR?
Brandon Allbery gmail.com> writes: > > On Wed, Oct 17, 2012 at 4:56 PM, Rainer Duffner ultra-secure.de>wrote: > > > I tried to install 9.1-RC2 amd64 on two disks that previously had some > > version of Solaris installed (with grub as boot-manager). > > The installation would always be successful, but it would just boot to > > grub and then sit there. > > > > RC1 wasn't very good at it either. > I installed RC2 yesterday and noticed that there was no question asked where to install boot loader (MBR or FB root slice/partition). That's something needing a fix. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Alert When Hardware Changes !
Shiv. Nath digital-infotech.net> writes: > ... > Is anyone aware of such program (software) that can alert me when hardware > changes? i.e. lets say i will monitor the hardware for a computer/server > using a program (i.e. Zabbix / Nagios) may be different program. Can i > receive the alert when hard disk for the computer has been changed? > > Any software anyone aware of? http://www.freebsd.org/cgi/url.cgi?ports/deskutils/devd-notifier/pkg-descr jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: 9.1-RC1 installer [was: FreeBSD 9.1-RC1 Available...]
John Marshall riverwillow.com.au> writes: > > I've just installed an Intel server from a 9.1-RC1 CD. This was my first > encounter with the new installer. I didn't like the look of what the > Auto option showed me for drive partitioning, so I tried Manual and > found that confusing. > ... Fair enough. But what should it loook like ? How to make it less confusing ? Can you elaborate here or file a PR# with details ? jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: IPv4 vs. IPv6 Ethernet Performance
Norbert Aschendorff yahoo.de> writes:
> ...
> {Values in MBit/s}
>
> Configuration IPv6IPv4
> ---
> [1] -> [2]450 600
> [2] -> [1]401 855
> ...
Well done. Thanks.
jb
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: IPv4 vs. IPv6 Ethernet Performance
Norbert Aschendorff yahoo.de> writes: > ... > Little table (values in Mbit/s): > > Configuration v6 v4 > === > Linux -> Linux925 935 # <= This could be v6's 40B header ># vs. v4's 20B > Linux -> FreeBSD 450 700 > FreeBSD -> Linux 455 920 > === > > The FreeBSD->Linux value shows that the ethernet chip on the FreeBSD > machine (it's Intel stuff on both sides, using the em(4) driver on > FreeBSD) is able to send at full 1G speed. But why is IPv6 so slow? Norbert, may I ask you to provide one more stats item for this table, if you can ? FreeBSD -> FreeBSD??? ??? Thanks, jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Temperature too high when high overload
Christian Mangin gmail.com> writes: > > Le 27.08.2012 08:44, Mike Manilone a écrit : > > Hi all, > > > > I just switched from Fedora Linux to FreeBSD. But I noticed a problem, > > the CPU temperature will be very high when the load is high. > > Especially while I am building C++ programs. It shut down for even 3 > > times while I was building Firefox/Thunderbird, just because of high > > temperature (86.5C). > > ... > I used to have the same problem with my laptop (i5) and this can be > fixed by lowering the temperature threshold for passive cooling. (_PSV) > > hw.acpi.thermal.user_override=1 > hw.acpi.thermal.tz0._PSV=80C > > You should try to adjust _PSV to be significantly lower (> 15-20C) than > the _CRT (critical shutdown temp) so that _CRT is never reached. > > Christian I too have the same problem (Lenovo dual core r61i). You should see the relevant data before making any changes - below it is explained why. This is my data: $ sysctl -a | grep -i thermal hw.acpi.thermal.min_runtime: 0 hw.acpi.thermal.polling_rate: 10 hw.acpi.thermal.user_override: 0 hw.acpi.thermal.tz0.temperature: 42.0C hw.acpi.thermal.tz0.active: -1 hw.acpi.thermal.tz0.passive_cooling: 0 hw.acpi.thermal.tz0.thermal_flags: 0 hw.acpi.thermal.tz0._PSV: -1 hw.acpi.thermal.tz0._HOT: -1 hw.acpi.thermal.tz0._CRT: 127.0C hw.acpi.thermal.tz0._ACx: -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 hw.acpi.thermal.tz0._TC1: -1 hw.acpi.thermal.tz0._TC2: -1 hw.acpi.thermal.tz0._TSP: -1 hw.acpi.thermal.tz1.temperature: 42.0C hw.acpi.thermal.tz1.active: -1 hw.acpi.thermal.tz1.passive_cooling: 1 hw.acpi.thermal.tz1.thermal_flags: 0 hw.acpi.thermal.tz1._PSV: 95.5C hw.acpi.thermal.tz1._HOT: -1 hw.acpi.thermal.tz1._CRT: 100.0C hw.acpi.thermal.tz1._ACx: -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 hw.acpi.thermal.tz1._TC1: 5 hw.acpi.thermal.tz1._TC2: 4 hw.acpi.thermal.tz1._TSP: 600 dev.acpi_tz.0.%desc: Thermal Zone dev.acpi_tz.1.%desc: Thermal Zone dev.p4tcc.0.%desc: CPU Frequency Thermal Control dev.p4tcc.1.%desc: CPU Frequency Thermal Control $ As you can see in my case: hw.acpi.thermal.tz0.passive_cooling: 0 which is NOT available (so obviously any settings in tz0 zone are irrelevant). This is explained here: ACPI_THERMAL(4): ... hw.acpi.thermal.tz%d.passive_cooling If set to 1, passive cooling is enabled. It does cooling without fans using cpufreq(4) as the mechanism for controlling CPU speed. Default is enabled for tz0 where it is available. ... In my case tz1 zone is available and active. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Thinkpad X61s cannot boot 9.1-BETA1
Per olof Ljungmark intersonic.se> writes: > ... > >> Did anyone else experience this? With 9.1-BETA1 the boot process > >> freezes, among the last lines with verbose boot are > >> > >> acpi_acad0: On Line > >> acpi_acad0: acline initialization done, tried 1 times > >> > >> after this, dead. > >> ... > Tried ALL boot options, none worked. For example, if I try "disable > acpi" it will stop at "no event timer available". Here is something similar ... http://forums.freebsd.org/archive/index.php/t-32423.html ... "When I enabled verbose boot logging, the boot seems to hang up just after the kernel load. I have tried disabling ACPI and APIC with the same results. Here is where the news starts to turn good. I tried a FreeBSD 9 disk and got much further. Then, I was either getting a page fault or panic: no usable event timer found depending on boot options. The release errata then set me straight. With debug.acpi.disabled="hostres" I was able to boot! ..." Here is the related errata: http://www.freebsd.org/releases/9.0R/errata.html ... "[amd64, i386] FreeBSD 9.0-RELEASE includes several changes to improve resource management of PCI devices. Some x86 machines may not boot or may have devices that no longer attach when using ACPI as a result of these changes. This can be worked around by setting a loader(8) tunable debug.acpi.disabled to hostres. To do this, enter the following lines at the loader prompt: set debug.acpi.disabled="hostres" boot Or, put the following line into /boot/loader.conf: debug.acpi.disabled="hostres" ..." Anyway, regardless of this attempt, file a PR# for 9.1-BETA1. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Thinkpad X61s cannot boot 9.1-BETA1
Per olof Ljungmark intersonic.se> writes: > > Hi, > > Did anyone else experience this? With 9.1-BETA1 the boot process > freezes, among the last lines with verbose boot are > > acpi_acad0: On Line > acpi_acad0: acline initialization done, tried 1 times > > after this, dead. > > What is supposed to happen in the next stage? > This laptop worked fine with 9-STABLE to at least february. > Try Google search: acpi_acad0: acline initialization done, tried 1 times for example http://forums.freebsd.org/archive/index.php/t-12194.html ... boot with "disable acpi" selection jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Text relocations in kernel modules
Peter Wemm wemm.org> writes: > ... > 5) If you own the machine's kernel, you can hide anything you wish. > Relocations are not a factor in this. > OK. Thanks a lot guys for sharing your answers and time. It was quite interesting. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Text relocations in kernel modules
Peter Wemm wemm.org> writes: > ... > There is no way to interfere because it is done outside of user space > entirely, **after** the file has been copied out of the file system. > You can do whatever you like to the file, but it has no effect because > all the relocation is done in a private kernel copy. > ... What if attack code (broadly understood) is part of module code, and is based on either or both of: - hidden (as to meaning and reloc targets) arrangement of relocations needed - has an ability of (self) activation during load/link and *relocations* process already under the privilege of the kernel ? Is that possible at all ? Would there be any protection against it (except giving up relocations as an enabling vehicle) ? jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Text relocations in kernel modules
Ian Lepore damnhippie.dyndns.org> writes: > ... > > But of interest to me is this: > > "... > > Text relocations are a way in which references in the executable code to > > addresses not known at link time are solved. Basically they just write > > the appropriate address at runtime marking the code segment writable in > > order to change the address then unmarking it. This can be a problem as > > an attacker could try to exploit a bug when the text relocation happens > > in order to be able to write arbitrary code in the text segment which > > would be executed. > > ..." > ... > A kernel module is loaded and linked > ONCE, at load time, into the kernel's address space. > ... >From the point of view of an attacker it does not matter whether kernel module is loaded and linked once only. That's enough to create a window of opportunity for interfering with relocation process and modifying text (code). jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Text relocations in kernel modules
pobox.com> writes: > ... > You can appeal to authority by saying the Gentoo Hardened developers said > such-and-such all you want, but it would be more useful for you to be able > to make specific technical arguments yourself. Saying "it could be a > problem" or "in the wild there may be" isn't useful. A valid technical > argument giving a mechanism for relocations to be exploited is all that > is needed for you to prove your point. > ... I have a question regarding security of FreeBSD kernel module loading and relocation. According to KLDLOAD(8): "...The kldload utility loads file.ko into the kernel using the kernel linker. ..." So, kernel module is loaded: # kldload /boot/kernel/foo.ko Here is my question: is foo.ko modified at this time ? Due to relocations ? The reason I ask about it is this Gentoo Hardened FAQ item: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxnoelf "I keep getting the message: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied." What does this mean?" I understand this is about .so and does not apply directly to .ko . But of interest to me is this: "... Text relocations are a way in which references in the executable code to addresses not known at link time are solved. Basically they just write the appropriate address at runtime marking the code segment writable in order to change the address then unmarking it. This can be a problem as an attacker could try to exploit a bug when the text relocation happens in order to be able to write arbitrary code in the text segment which would be executed. ..." Now, let me apply the above quoted paragraph to .ko and ask my question again, this time being more specific: are you doing any "marking" and "unmarking" of it at relocations and load time, thus creating an attack window opportunity ? jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FreeBSD9 and the sheer number of problem reports
H hm.net.br> writes: > ... > it is about FreeBSD and the meaning, importance and reliability of > -RELEASE for all people > ... > > Still, FreeBSD has always at least one more release out there which > > was hardened in real life. > > ... Hi, I think you have a point. There was a very interesting discussion on "FreeBSD and release engineering". http://lwn.net/Articles/478663/ There were some proposals made, but in my view this is the most important one. There are too many "production releases" - at present including versions 7.4, 8.2, and 9.0 . Cutting one would refocus devs and users on the remainig two, with obvious benefits to FreeBSD product. jb ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
