Re: OpenBSD 6.x and wxallowed
Hi, On Mon, Oct 21, 2019 at 09:57:24AM +0100, Stuart Henderson wrote: > > $ grep -rHI USE_WXNEEDED /usr/ports/ | wc > > 64 2013827 > > This ignores ports where USE_WXNEEDED is set by a module, this is a better > number: > > $ sqlite3 /usr/local/share/sqlports "select count(fullpkgpath) from ports > where use_wxneeded='1'" > 130 Ports (or any programs in general) built with lang/ghc don't even have USE_WXNEEDED but still contain binaries with a OPENBSD_WXNEED section (xmonad, darcs, ...). (I'm currently working on killing wxneeded for Haskell) Ciao, Kili
Re: OpenBSD 6.x and wxallowed
On 2019/10/21 10:19, Masato Asou wrote: > From: "Nelson H. F. Beebe" > Date: Fri, 18 Oct 2019 07:39:26 -0600 > > > Has anyone looked into the problem of enumerating packages that are > > installed in the /usr/local tree that actually NEED simultaneous write > > and execute access? > > You can find that as below: > > $ grep -rHI USE_WXNEEDED /usr/ports/ | wc > 64 2013827 This ignores ports where USE_WXNEEDED is set by a module, this is a better number: $ sqlite3 /usr/local/share/sqlports "select count(fullpkgpath) from ports where use_wxneeded='1'" 130 However it includes things like Python, which are marked USE_WXNEEDED because they *might* load an extension which requires W+X (like the webkit-based extensions), but don't need it in other cases.
Re: OpenBSD 6.x and wxallowed
From: "Nelson H. F. Beebe" Date: Fri, 18 Oct 2019 07:39:26 -0600 > Has anyone looked into the problem of enumerating packages that are > installed in the /usr/local tree that actually NEED simultaneous write > and execute access? You can find that as below: $ grep -rHI USE_WXNEEDED /usr/ports/ | wc 64 2013827 $ Above result is my amd64 box with 6.6 current. -- ASOU Masato
Re: OpenBSD 6.x and wxallowed
Nelson H. F. Beebe wrote: > If only a small number of packages need W^X capability, would it make > sense to create a separate file tree for them, and let every other > part of the filesystem enjoy W^X protection, along with additional > security from addition of pledge() and veil() promises into software > packages? We did that. They are all in /usr/local But you went and disabled it. Some people just cannot be helped. No, we will not differentiate those binaries further via a symbolic link far.
Re: OpenBSD 6.x and wxallowed
On Fri, Oct 18, 2019 at 07:39:26AM -0600, Nelson H. F. Beebe wrote: > Because I dislike splitting disks into numerous partitions, each of > whose sizes is a future show-stopper when they prove too small, I > generally split disks into just root + swap. Thus, I find on our > currently 7 versions of OpenBSD 6.x in our test farm reports like > this: > > # mount > /dev/wd0a on / type ffs (local, wxallowed) You are creating your own problem. By default, /usr/local is mounted wxallowed. If you choose to create a single root partition, you're responsible for maintaining your own exploit mitigation countermeasures. > The output of "man mount" says > > wxallowed Processes that ask for memory to be made writeable > plus executable using the mmap(2) and mprotect(2) > system calls are killed by default. This option > allows those processes to continue operation. It is > typically used on the /usr/local filesystem. > > OpenBSD 3.3 introduced the W^X feature in 2004, and some other O/Ses > have implemented it as well since then. > > Has anyone looked into the problem of enumerating packages that are > installed in the /usr/local tree that actually NEED simultaneous write > and execute access? > > If only a small number of packages need W^X capability, would it make > sense to create a separate file tree for them, and let every other > part of the filesystem enjoy W^X protection, along with additional > security from addition of pledge() and veil() promises into software > packages? > > > --- > - Nelson H. F. BeebeTel: +1 801 581 5254 > - > - University of UtahFAX: +1 801 581 4148 > - > - Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu > - > - 155 S 1400 E RM 233 be...@acm.org be...@computer.org > - > - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ > - > --- > >
Re: OpenBSD 6.x and wxallowed
On Fri, Oct 18, 2019 at 07:39:26AM -0600, Nelson H. F. Beebe wrote: > Because I dislike splitting disks into numerous partitions, each of > whose sizes is a future show-stopper when they prove too small, I > generally split disks into just root + swap. > If only a small number of packages need W^X capability, would it make > sense to create a separate file tree for them
OpenBSD 6.x and wxallowed
Because I dislike splitting disks into numerous partitions, each of whose sizes is a future show-stopper when they prove too small, I generally split disks into just root + swap. Thus, I find on our currently 7 versions of OpenBSD 6.x in our test farm reports like this: # mount /dev/wd0a on / type ffs (local, wxallowed) The output of "man mount" says wxallowed Processes that ask for memory to be made writeable plus executable using the mmap(2) and mprotect(2) system calls are killed by default. This option allows those processes to continue operation. It is typically used on the /usr/local filesystem. OpenBSD 3.3 introduced the W^X feature in 2004, and some other O/Ses have implemented it as well since then. Has anyone looked into the problem of enumerating packages that are installed in the /usr/local tree that actually NEED simultaneous write and execute access? If only a small number of packages need W^X capability, would it make sense to create a separate file tree for them, and let every other part of the filesystem enjoy W^X protection, along with additional security from addition of pledge() and veil() promises into software packages? --- - Nelson H. F. BeebeTel: +1 801 581 5254 - - University of UtahFAX: +1 801 581 4148 - - Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu - - 155 S 1400 E RM 233 be...@acm.org be...@computer.org - - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ - ---