From owner-FreeBSD-users-jp@jp.freebsd.org  Tue Feb 27 15:32:08 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id PAA85040;
	Tue, 27 Feb 2001 15:32:08 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from zebu.riken.go.jp (zebu.riken.go.jp [134.160.20.73])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id PAA85034
	for <FreeBSD-users-jp@jp.freebsd.org>; Tue, 27 Feb 2001 15:32:08 +0900 (JST)
	(envelope-from mitsuru@zebu.riken.go.jp)
Received: (qmail 80136 invoked from network); 27 Feb 2001 06:32:23 -0000
Received: from localhost (127.0.0.1)
  by localhost with SMTP; 27 Feb 2001 06:32:23 -0000
Date: Tue, 27 Feb 2001 15:32:01 +0900 (JST)
Message-Id: <20010227.153201.596584427.mitsuru@zebu.riken.go.jp>
To: FreeBSD-users-jp@jp.freebsd.org
From: Mitsuru Yoshida <mitsuru@zebu.riken.go.jp>
In-Reply-To: <20010226172455B.koya@math.yokohama-cu.ac.jp>
References: <20010224083224T.ipfw@ya3.so-net.ne.jp>
	<20010226.120307.730549381.mitsuru@zebu.riken.go.jp>
	<20010226172455B.koya@math.yokohama-cu.ac.jp>
X-Mailer: Mew version 1.95b103 on XEmacs 21.1.14 
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: FreeBSD-users-jp 59330
Subject: [FreeBSD-users-jp 59330] Re: dmesg -a
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: mitsuru@zebu.riken.go.jp

> > $B3N$+$K!"(Bsysctl -a $B$G=P$A$c$$$^$9$M!#!#!#(B
> > $B:$$C$?!#(Blibc $B$N(B sysctl $B$+$iD>$5$J$$$H%@%a!)(B $B$A$g$C$H;d$N<j$K$OIi$($J$$(B
> > $B46$8$,$7$F$-$^$7$?!#(B
> > $B8eH>$NJ}$b!"$J$s$H$+$7$J$$$H%@%a$G$9$M!#(B
 Robert $B$5$s$+$i!"<!$N$h$&$J(B mail $B$r$b$i$$$^$7$?!#(B
# PR $B8+$F$l$P$o$+$k$3$H$G$9$,!#!#!#(B
==========================================================================
Please back out this change.  The syslog hack was fairly bogus *before*
this change, but now it's gone from being bogus to being a vulnerability.
This is because the heuristic used to differentiate syslog messages and
console messages is not always correct, as (a) this prevents dmesg from
showing strings the kernel prints that are in the format of syslog
messages, and (b) wrap-around in the dmesg buffer in kernel can result in
messages being displayed when the syslog string prefix is squished.  So
you've turned what was an innocent hack into a security problem, since
you now make a security guarantee about the availability of the
messages.

We're also about to commit changes to dmesg to make it no longer require
privilege when used on a live system by virtue of the existing sysctl (on
i386) currently exporting the message buffer, so this piece of "security"
doesn't even prevent users from getting to the data, as they can currently
extract it directly using sysctl and don't have to use the dmesg command.

We're currently considering adding two new sysctl's that could be used to
restrict creation and access to msgbuf data.  First, a sysctl that toggles
whether or not console output is sent to the message buffer.  Second, a
sysctl that toggles whether or not dmesg output is available in jail().
==========================================================================

$B$H$$$&$3$H$G!"2?$,$^$:$$$N$+$O$A$c$s$H$o$+$C$F$b$i$($F$k$_$?$$$G!"D>$9M=(B
$BDj$G$"$k$i$7$$$N$G!"$7$P$i$/$*BT$A2<$5$$!"$C$F46$8$G$9$M!#(B
# $BA0H>$N1Q8l$,$h$/$o$+$i$J$$$s$G$9$,!"!V$*$+$2$G(B vulnerability $B$K3J>e$2(B
# $B$K$J$C$A$c$C$?$h!<!W$C$F$3$H$J$N$+$J!#(B

> $B$"$H$O(B kernel $B$r:F9=C[$7$F%$%s%9%H!<%k$7$^$9!#$A$g$C$H$@$1$7$+(B
> $B;n$7$F$J$$$N$G$9$,!">/$J$/$H$b$3$l$G!"(Bsingle user mode $B$G:n6H(B
> $B$7$?FbMF$,$G$k$3$H$OL5$/$J$j$^$7$?!#(Bdmesg, sysctl,
> /var/log/console.log $B$$$:$l$K$bM-8z$G$9!#(B
 $B$*$*!#$?$C$?0l9T$G$$$$$s$G$9$M!#(B
# $B$=$&$$$&$N$I$&$d$C$F8+$D$1$k$s$G$7$g$&!)(B

> $B$b$7$b!"$*;~4V$"$C$?$i!";n$7$F8+$F$/$@$5$$!#(B
> $B$b$C$H$b!";d$O$A$g$C$H$7$+;n$7$F$$$J$$$N$G!"(B
> $B8+Mn$H$7$J$I$"$k$+$bCN$l$^$;$s!#(B
> 
> $B$?$@!"$3$l$r$9$k$H!"%G%P%C%0MQ$N5-O?$,$H$l$J$/$J$j$^$9!#(B
> $BEvJ,$N4V!"0l?M$@$1$G;H$&$h$&$J!"IQHK$K(B make world $B$9$k$h$&$J(B -current $B$G(B
> $B$O$=$N$^$^$K$7$F$*$-$^$9$,!"(Bsecurity $B$,5$$K$J$kJ}$G!"5^$$$G$$$kJ}$O(B
> $B$3$l$G$b1~5^=hCV$O$G$-$k$s$8$c$J$$$+$H;W$$$^$9!#(B
> $B$$$+$K$b!">l$"$?$j$G$9$,!D!#(B
 $B;d$N$H$3$m$G$O:#$N$H$3$m$"$^$j5$$K$7$J$/$F$b$h$$$b$N$P$+$j$J$s$G$9$,!"(B
$B$"$k$H$&$l$7$$J}$OB?$$$O$:!#$I$&$b$"$j$,$H$&$4$6$$$^$9!#(B
$B$H$j$"$($:$N(B fix $B$H$$$&46$8$G=P$7$F$b$i$C$?J}$,$$$$$N$G$7$g$&$+!#(B
$B$=$l$H$b!"$=$&$$$&$H$j$"$($:$N(B fix $B$O=P$5$J$$J}$,$$$$$N$G$7$g$&$+!#(B


$B5HED(B $B=<!w>pJs4D6-<<(B.$BM}2=3X8&5f=j(B (mitsuru@zebu.riken.go.jp)
http://w3cic.riken.go.jp/~mitsuru/index.html
