On Monday 21 June 2004 10:57, Michael Reifenberger wrote: > Hi, > as it seems is pflogd requiring an user "_pflogd" to work which is not > installed by default under FreeBSD. Oh, I knew I forgot something :-\ > As it seems is OpenBSD aggressivly using "_<service>" users. > Is this something we should follow? I'll try to explain the reasoning behind this. If there are a zillion processes all owned by nobody:nogroup and an attacker manages to obtain control over one of them, the rest might be easy/easier prey. The evildoer will have better chances to obtain critical resources and maybe root in the end. This might seem like OpenBSD/paranoia, but my opinion on it is: It's done so why not port it over? It also helps to keep the diff down (which means less work). If there is no resistance against "yet another user", I will add _pflogd. On a related note: OpenBSD also introduced an ioctl to lock a bpf-descriptor, thus making it less valueable for a possible attacker. This is a sane thing for longrunning processes such as IDS or pflog and I am wondering if we should port it. It's a simple enough thing and I will post diffs on -net later. -- Best regards, | mlaier_at_freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier_at_EFnet
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:58 UTC