Jason Miller, 2006-01-18
A recently announced weakness in the BSD securelevel system isn't going to be fixed in OpenBSD. While securelevel may have problems, the vendor's security response is unacceptable and doesn't fit with their stated goals.
Colapse all |
Post comment
How not to respond to a security advisory
2006-01-19
Miles (3 replies)
Miles (3 replies)
Re: How not to respond to a security advisory
2006-01-19
Dwight
Dwight
It really doesnt matter why Theo said it. For argument sake, even if Theo is fully correct, then it doesnt make sense to give users a "security" feature you know is broken. In his response he says its useless and doesnt provide security, in the OpenBSD man page it says it provides security. Which is...
[ more ] [ reply ]
[ more ] [ reply ]
Secure levels as a control is too coarse grained
2006-01-19
Anonymous (1 replies)
Anonymous (1 replies)
It is way too coarse grained for suitable control. Things that are disabled (at a level 2) still need to be done to online systems. Even at level 1 you have a number of problems.
a. if a filesystem is damaged (hardware failure) you cannot take it out of service for repair/replacement without rebo...
[ more ] [ reply ]
a. if a filesystem is damaged (hardware failure) you cannot take it out of service for repair/replacement without rebo...
[ more ] [ reply ]
Re: Secure levels as a control is too coarse grained
2006-01-21
Anonymous
Anonymous
All true, but you're re-itterating points that the article agrees with.
The article isn't defending securelevels as useful or highly secure. It's simply saying they should either be fixed, or removed.
A crude, unqualified "won't fix because it is useless" is a bad position to take here. If it...
[ more ] [ reply ]
The article isn't defending securelevels as useful or highly secure. It's simply saying they should either be fixed, or removed.
A crude, unqualified "won't fix because it is useless" is a bad position to take here. If it...
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-19
Anonymous
Anonymous
I keep track of the OpenBSD mailing list. Unfortunately, this attitude is quite normal for Theo and it has spread to several of the other developers as well. If securelevels are so useless, why hasn't the OpenBSD team designed a better solution? I'm sure they'd give numerous reasons why. Until a...
[ more ] [ reply ]
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-19
Anonymous (1 replies)
Anonymous (1 replies)
would you like a little cheese with your whine?
I am surprised you did not include any formal input from the openbsd team as to why they choose to let it die on the vine.
you could always code it yourself instead of complaining about others not doing work for you. Cant code - hire someone on t...
[ more ] [ reply ]
I am surprised you did not include any formal input from the openbsd team as to why they choose to let it die on the vine.
you could always code it yourself instead of complaining about others not doing work for you. Cant code - hire someone on t...
[ more ] [ reply ]
Re: How not to respond to a security advisory
2006-01-25
Matthew Murphy
Matthew Murphy
Why does Jason need to include "formal input from the OpenBSD team"? He has it, in the form of the comment from Theo De Raadt.
OpenBSD didn't choose to "let it die on the vine" (it still ships, vulnerability-and-all). They just aren't fixing it because it's one less security bug for them to adm...
[ more ] [ reply ]
OpenBSD didn't choose to "let it die on the vine" (it still ships, vulnerability-and-all). They just aren't fixing it because it's one less security bug for them to adm...
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-19
DS
DS
Interesting how these advisories always paint the flaw in the darkest shades possible.
Securelevels provide far more than the immutable and other flag capabilities for files. Do read the manual page:
http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel&sek
tion=7&apropos=0&manpath=OpenBSD+...
[ more ] [ reply ]
Securelevels provide far more than the immutable and other flag capabilities for files. Do read the manual page:
http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel&sek
tion=7&apropos=0&manpath=OpenBSD+...
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-19
Anonymous (2 replies)
Anonymous (2 replies)
How not to respond to a security advisory
2006-01-19
Anonymous
Anonymous
The comment about "useless" securelevels is odd, yes.
It should be added that this bug is really minor (yes, the chflag'ed file isn't really modified, and yes if you don't control who can mount things on the system, you'll have greater porbles). It's nearly excessive to call this a security flaw....
[ more ] [ reply ]
It should be added that this bug is really minor (yes, the chflag'ed file isn't really modified, and yes if you don't control who can mount things on the system, you'll have greater porbles). It's nearly excessive to call this a security flaw....
[ more ] [ reply ]
Theo being theo...
2006-01-19
Anonymous (2 replies)
Anonymous (2 replies)
You don't get around much. That's how Theo reacts to pretty much everything. Find a security issue in OpenBSD and he redefines the meaning of "security issue" or blows it off, and then spends a month on the mailing lists calling anyone who mentions it an idiot....
[ more ] [ reply ]
[ more ] [ reply ]
Re: Theo being theo...
2006-01-20
Anonymous
Anonymous
But I don't see how this IS a security issue. If the attacker has root access, then you have bigger problems. If the attacker mounts another filesystem over an important immutable filesystem, then he will be working with privileges he ALREADY HAD on files which are NOT the immutable files. Temporari...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Theo being theo...(Theo is best!) :)
2006-01-23
LinuxUser
LinuxUser
I find Theo's flaming personality...ummm...refreshing :)
He is much more dynamic than Torvals and represents a leading character in a *BSD world...
The following words taken from the old interview sum up pretty good about his attitude:
"
Some vague claims have been made that the fuss was ove...
[ more ] [ reply ]
He is much more dynamic than Torvals and represents a leading character in a *BSD world...
The following words taken from the old interview sum up pretty good about his attitude:
"
Some vague claims have been made that the fuss was ove...
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-20
Anonymous (1 replies)
Anonymous (1 replies)
Mr. Miller, you have written an entire column around one flippant remark. Why not look at the issues instead?
...
[ more ] [ reply ]
...
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-20
Fred Cohen
Fred Cohen
The OpenBSD people are correct. They are really only a vaneer of security and not a realistic protection mechanism. They are readily defeated by a user who is root regardless of any claims that they would not be, and this cannot be undone because root has access to all of memory and all of the hardw...
[ more ] [ reply ]
[ more ] [ reply ]
TdR says loud what Linux & FreeBSD assume silently
2006-01-20
Anonymous
Anonymous
This "security advisory" is only publicity for RedTeam (not a security problem).
Proof: at the end of the day Linux and FreeBSD just ignored (didn't "fixed") anything.
The result is the same, in a security viewpoint.
RedTeam made false assumptions about a security problem because of a misinter...
[ more ] [ reply ]
Proof: at the end of the day Linux and FreeBSD just ignored (didn't "fixed") anything.
The result is the same, in a security viewpoint.
RedTeam made false assumptions about a security problem because of a misinter...
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-20
Anonymous (1 replies)
Anonymous (1 replies)
It's actually a typical response from the OpenBSD group. Just another reason why the Linux community is so much more attractive to new/current users....
[ more ] [ reply ]
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-21
Anonymous (1 replies)
Anonymous (1 replies)
"FreeBSD is still discussing the issue and no further response from the Linux maintainer has been received yet."
You do, of course, realize that FreeBSD is not a Linux maintainer, right? I won't start a flamewar by trying to tell you the technical & ideological differences, so I'll just say this...
[ more ] [ reply ]
You do, of course, realize that FreeBSD is not a Linux maintainer, right? I won't start a flamewar by trying to tell you the technical & ideological differences, so I'll just say this...
[ more ] [ reply ]
"Root problem" again
2006-01-24
Alexey Vesnin
Alexey Vesnin
Again and again.... Root, who can do everything, he is not a problem. Dumb sysadmin who have it's privileges it's a problem - not root user itself. You MUST have such user in system to do alot of job often violating common policies... Securelevels always were a question of taste, no more. System ker...
[ more ] [ reply ]
[ more ] [ reply ]
How not to respond to a security advisory
2006-01-25
Michael Favinsky (1 replies)
Michael Favinsky (1 replies)
OpenBSD is one of the few production-grade UN*X projects in existence where you, as an end user, have a direct line to the OS developers, where the developers actually read your email and take the time to respond. You don't get this privilege with Microsoft, and you definitely don't get this privile...
[ more ] [ reply ]
[ more ] [ reply ]
Re: How not to respond to a security advisory
2006-01-25
Anonymous (1 replies)
Anonymous (1 replies)
[ more ] [ reply ]