Re: cpuctl(formely devcpu) patch test request

From: Rui Paulo <rpaulo_at_FreeBSD.org>
Date: Mon, 16 Jun 2008 19:10:17 +0100
On Mon, Jun 16, 2008 at 5:44 PM, Stanislav Sedov <stas_at_freebsd.org> wrote:
> On Sun, 15 Jun 2008 15:26:39 -0400
> Coleman Kane <cokane_at_FreeBSD.org> mentioned:
>
>> I think the anti-foot-shooting measures referred to above were also
>> taking into consideration for security reasons. It might be valuable for
>> someone to be able to configure this feature to be rdmsr-only, thereby
>> limiting potential harm vectors in the event that an attacker is likely
>> to crack access to the system for supervisory privileges. This would be
>> a legitimate consideration to make, especially so that the module could
>> at least provide a sane "safe operating mode" to those that would
>> benefit from read-only access.
>>
>> So, for example, I would consider most crackers to be skilled enough to
>> inject an ioctl call somewhere, even if the primary user of the system
>> is not so skilled., but they want to use software written by others that
>> makes use of this interface.
>
> On the other hand, providing extra security levels via sysctl looks
> slightly overkill to me, as if the attacker would be able to issue
> a ioctl call somewhere it would be easy to him to make a sysctl
> call as well. Priv(9) checks and/or securelevels could be used
> to limit the usage of this functionality. Furthermore, there're
> a lot of other possible ways to execure an msr instructions,
> including loading your own simple kernel object.

There's no security issue here.
If the system administrator is concerned about "security" of cpuctl,
he/she just has to compile-out cpuctl or remove the module from the
file system.

Regards,
-- 
Rui Paulo
Received on Mon Jun 16 2008 - 16:10:18 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:32 UTC