Kurt MosiejczukApr 8, 2017

So, when I replace the user Linux box with OpenBSD, I won't be installing the sudo package.

The question is: Do I just let them get a "command not found"? Or do I write a little script that just tells them to knock it off?

Show threadMarcin CieślakApr 8, 2017
@kurtm I am about to replace an aged and not upgradable Gentoo box for casual shell users with some FreeBSD instance as well soon
Show threadKurt Mosiejczuk
@saper Feeling nostalgic for mid-1990s UNIX? :D
I installed a FreeBSD box for my wife (she wanted to run... ventrilo?). It felt *SO* much like UNIX from the mid 90s to me.
Apparently (I think @lattera will confirm), FreeBSD's security measures are still from the mid-90s. :)
Apr 8, 2017 at 7:18pmWeb
Show threadMarcin CieślakApr 8, 2017
@kurtm @lattera I don't know what are the security measures from the 1990s? Ever tried things like capsicum for example? Or Mandatory Access Control?
Show threadKurt MosiejczukApr 8, 2017
@saper They still don't do ASLR.
Capsicum seems better than SELinux, but still seems over complicated.
Have you looked at pledge(2)? I really think it is the paradigm to watch going forward.
Show threadMarcin CieślakApr 8, 2017
@kurtm Didn't know that one. Reminds me of java SecurityManager only less granular. Maybe it's an advantage.... I prefer limited APIs. Who needs more than this http://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/sys/sys/sysent.c
Show threadKurt MosiejczukApr 8, 2017
@saper The problem with the super granular stuff that is external to the program is you have to predict *everything* the software might do legitimately. Otherwise, users find their legitimate use of the software is disallowed, so they turn off the security.
Show threadKurt MosiejczukApr 8, 2017
@saper The big advantage to pledge over other frameworks is the software uses it.
Things like SELinux, you have to allow the privileged set tasks for the entire run of the program. With pledge, you can do your setup tasks and then drop the capability to do those things.
Show threadShawn WebbApr 8, 2017

@saper @kurtm

Capsicum is great as a capabilities framework, not as an exploit mitigation. It only works when applications explicitly integrate with it (and with a not-too-permissive set of capabilities). Additionally, some applications cannot be Capsicum-ized.

#FreeBSD is around 16 years behind the rest of the world as far as exploit mitigations are concerned. No ASLR, no W^X, no CFI, no meaningful exploit mitigations.

Show threadShawn WebbApr 8, 2017

@kurtm @saper

Capsicum also doesn't prevent data-only attacks (nor can it).

Show threadMarcin CieślakApr 8, 2017
@lattera @kurtm Of course you are right re mitigation measures, we were just complaining about UNIX multiuser model. By the way I only now CFI as a stack unwinding information feature (as in assembler directives to generate DWARF info), its application here is new to me - any pointers?
Show threadShawn WebbApr 8, 2017
@saper @kurtm Gotcha. CFI means Control-Flow Integrity: https://clang.llvm.org/docs/ControlFlowIntegrity.html
Show threadMarcin CieślakApr 8, 2017

@lattera @kurtm Thanks, found interesting paper https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-tice.pdf

That one https://hardenedbsd.org/article/shawn-webb/2017-03-02/introducing-cfi explains in more detail what you mean about FreeBSD not having it, thanks!

Show threadKurt MosiejczukApr 8, 2017
@saper If you don't know, @lattera does HardenedBSD. Basically adds the missing security to FreeBSD. If I need to run FreeBSD, I'm going to run HardenedBSD.
Show threadMarcin CieślakApr 8, 2017
@kurtm @lattera needs no introduction :)
Show threadKurt MosiejczukApr 8, 2017
@saper @lattera Ok, good. Just realized I tagged him in and you might not know him. :)
Show threadMarcin CieślakApr 8, 2017
@kurtm @lattera I hope that future belongs to small hypervisors running minimal rump "kernels" with applications, hopefully with cut-down interfaces similar to #CloudABI. We'll see. Mainframes will be back :)