Re: not exactly (Re: systrace removed? Why?)

2016-09-03 Thread Michal Bozon 
if someone's interested, here a list of fs differences
between 6.0 upgraded from 5.9, and 6.0 install, i found,
with some obvious differences like smtpd spool or sysmerge
backups removed (amd64/qemu):

http://pastebin.com/raw/VPkdbvxy (text/plain)

(not pasting because of long lines)

hth

Re: not exactly (Re: systrace removed? Why?)

2016-09-03 Thread Edgar Pettijohn 
Sent from my iPhone

On Sep 3, 2016, at 12:46 PM, Michal Bozon  wrote:

>> good(?) news: sysmerge is gone in 6.0
>> but not removed by 5.9 to 6.0 uprade process.
> 
> s/sysmerge/systrace/
> 

pledge()

Re: not exactly (Re: systrace removed? Why?)

2016-09-03 Thread Michal Bozon 
> > good(?) news: sysmerge is gone in 6.0
> > but not removed by 5.9 to 6.0 uprade process.
> > 
> 
> I really have a hard time understanding what you're trying to point out.
> 
> Yes, systrace is gone, but it's an ordinary binary that does no harm,
> feel free to remove it if it makes you feel better.
> 
> sysmerge isn't gone, but it is executed automatically if you use a
> bsd.rd upgrade, hence it's only mentioned in the manual upgrade process.

ok, never mind,
i have just spotted it when comparing fs trees of
freshly installed 6.0 and
freshly installed/upgraded 5.9/6.0

.. and made sure to report it immediately,
since the removal of systrace is advertised
as a security enhancement :)

Re: not exactly (Re: systrace removed? Why?)

2016-09-03 Thread Michal Bozon 
> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.

s/sysmerge/systrace/

Re: not exactly (Re: systrace removed? Why?)

2016-09-03 Thread Theo Buehler 
On Sat, Sep 03, 2016 at 05:37:22PM +, Michal Bozon wrote:
> > Why?
> 
> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.
> 

I really have a hard time understanding what you're trying to point out.

Yes, systrace is gone, but it's an ordinary binary that does no harm,
feel free to remove it if it makes you feel better.

sysmerge isn't gone, but it is executed automatically if you use a
bsd.rd upgrade, hence it's only mentioned in the manual upgrade process.

not exactly (Re: systrace removed? Why?)

2016-09-03 Thread Michal Bozon 
> Why?

good(?) news: sysmerge is gone in 6.0
but not removed by 5.9 to 6.0 uprade process.

Re: systrace removed? Why?

2016-04-27 Thread Christian Weisgerber 
On 2016-04-27, Marc Espie  wrote:

> Race-conditiony things that make you go hum, oh shit is this thing
> more dangerous than what it's actually potecting. Plus semantic bugs.
> Like the time we had to hunt a really weird copy bug in the qt code until
> we realized it was just systrace fucking up.

Then there was the instance where a configure script would produce
a different result when run under systrace, causing a port to be
built differently.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: systrace removed? Why?

2016-04-27 Thread Marc Espie 
There were some significant issues with systrace over the years.

Race-conditiony things that make you go hum, oh shit is this thing
more dangerous than what it's actually potecting. Plus semantic bugs.
Like the time we had to hunt a really weird copy bug in the qt code until
we realized it was just systrace fucking up.

Good riddance.

Re: systrace removed? Why?

2016-04-26 Thread Kevin Chadwick 
> it is not important.
> 
> systrace was effectively deprecated 4-10 years ago, when there stopped
> being a maintainer for it, or the broken ecosystem surrounding.
> 
> That was a gap needed to consider a replacement model.
> 
> What do you want here?

I guess nothing important.

I am happy with pledge (I love it) as a replacement. I was simply
wondering what the potential dangers are for my web server that utilises
systrace on 5.9 along with newly pledged base processes and a few port
processes, currently it appears to be working fine, perhaps it's
performance has sufferred but I haven't noticed. I guess it takes
hundreds of syscalls to notice and I will simply switch to pledge when
performance requirements demand my time which I hope will happen within
6 months ;) . I already had plans to move to a potentially custom
pledged c binary (if my use case can be more restricted) and a nicer
and lighter system anyway.

So thanks for the hard work.

-- 

KISSIS - Keep It Simple So It's Securable

Re: systrace removed? Why?

2016-04-26 Thread Theo de Raadt 
>> how do you mean? what happens on 5.9 when you use systrace with pledged
>> programs? Does cpu usage go through the roof by any chance? That would
>> explain why I have had to disable it to avoid waiting so long for
>> systraced desktop programs.
>
>hmmm, actually I guess the claws-mail port may not be pledged yet but
>cpu usage seemed to go through the roof on 5.9 anyways.

So it is just some theory you invented, without any facts?

Re: systrace removed? Why?

2016-04-26 Thread Theo de Raadt 
>> > Unfortunately systrace overhead can be significant for monitoring
>> > complex programs but it could potentially be useful as a part of a
>> > (HIPS or system intrusion or malfunction detection for a secure
>> > server). hmmm, assuming pledge doesn't kill the offending process first,
>> > haha.  
>> 
>> systrace and pledge did not work together.  So that's balony.
>
>how do you mean? what happens on 5.9 when you use systrace with pledged
>programs? Does cpu usage go through the roof by any chance? That would
>explain why I have had to disable it to avoid waiting so long for
>systraced desktop programs.

it is not important.

systrace was effectively deprecated 4-10 years ago, when there stopped
being a maintainer for it, or the broken ecosystem surrounding.

That was a gap needed to consider a replacement model.

What do you want here?

Re: systrace removed? Why?

2016-04-26 Thread Kevin Chadwick 
> how do you mean? what happens on 5.9 when you use systrace with pledged
> programs? Does cpu usage go through the roof by any chance? That would
> explain why I have had to disable it to avoid waiting so long for
> systraced desktop programs.

hmmm, actually I guess the claws-mail port may not be pledged yet but
cpu usage seemed to go through the roof on 5.9 anyways.

-- 

KISSIS - Keep It Simple So It's Securable

Re: systrace removed? Why?

2016-04-26 Thread Kevin Chadwick 
> > Unfortunately systrace overhead can be significant for monitoring
> > complex programs but it could potentially be useful as a part of a
> > (HIPS or system intrusion or malfunction detection for a secure
> > server). hmmm, assuming pledge doesn't kill the offending process first,
> > haha.  
> 
> systrace and pledge did not work together.  So that's balony.

how do you mean? what happens on 5.9 when you use systrace with pledged
programs? Does cpu usage go through the roof by any chance? That would
explain why I have had to disable it to avoid waiting so long for
systraced desktop programs.

Thanks

-- 

KISSIS - Keep It Simple So It's Securable

Re: systrace removed? Why?

2016-04-26 Thread Theo de Raadt 
> > I guess the question is: how many people actually use systrace in
> > scripts? Probably very very few.

>From yesterday onwards, noone uses it.

> I use it in scripts but will look to switching to pledge when I
> have time, which I *should* be able to find in the next 6 months, haha.
> It is however sometimes insightful as a quick and dirty debugging tool.

If you stick to old code, sure.

> Unfortunately systrace overhead can be significant for monitoring
> complex programs but it could potentially be useful as a part of a
> (HIPS or system intrusion or malfunction detection for a secure
> server). hmmm, assuming pledge doesn't kill the offending process first,
> haha.

systrace and pledge did not work together.  So that's balony.

> I guess pledging /bin/sh may throw up challenges too though I see many
> pledges in csh?

sh is pledged.

> and so is systrace useful there?

systrace was removed, so how can it be useful?

Re: systrace removed? Why?

2016-04-26 Thread Kevin Chadwick 
> I guess the question is: how many people actually use systrace in
> scripts? Probably very very few.

I use it in scripts but will look to switching to pledge when I
have time, which I *should* be able to find in the next 6 months, haha.
It is however sometimes insightful as a quick and dirty debugging tool.

Unfortunately systrace overhead can be significant for monitoring
complex programs but it could potentially be useful as a part of a
(HIPS or system intrusion or malfunction detection for a secure
server). hmmm, assuming pledge doesn't kill the offending process first,
haha.

I guess pledging /bin/sh may throw up challenges too though I see many
pledges in csh? and so is systrace useful there?

-- 

KISSIS - Keep It Simple So It's Securable

Re: systrace removed? Why?

2016-04-26 Thread Stuart Henderson 
On 2016-04-26, arrowscr...@mail.com  wrote:
> Of course, you can put it on packages

Nope.

Re: systrace removed? Why?

2016-04-25 Thread Michael McConville 
arrowscr...@mail.com wrote:
> I know about the pledge(2) development, but systrace and pledge are
> not mutually exclusive. Pledge need to be used inline, where systrace
> can be used as a command line tool. 
> 
> If you remove it, many scripts that use systrace for privilege
> reduction will broke.

I guess the question is: how many people actually use systrace in
scripts? Probably very very few.

> Of course, you can put it on packages, but if you follow this logic,
> shouldn't other tools be also removed and be on packages? banner(1)
> for example, is kind useless. The cpan(1) pkg manager from perl also
> could be in packages. Same with sqlite3, I think. Or telnet, since
> almost no one uses it anymore. Etc.

I'm pretty sure that you can't package systrace because it needs to be
supported by the kernel. I expect that that's part of the reason why it
was removed: axing it simplifies and quickens the kernel.

Re: systrace removed? Why?

2016-04-25 Thread arrowscript 
I know about the pledge(2) development, but systrace and pledge are not 
mutually exclusive. Pledge need to be used inline, where systrace can be used 
as a command line tool. 
If you remove it, many scripts that use systrace for privilege reduction will 
broke.
Of course, you can put it on packages, but if you follow this logic, shouldn't 
other tools be also removed and be on packages? banner(1) for example, is kind 
useless. The cpan(1) pkg manager from perl also could be in packages. Same with 
sqlite3, I think. Or telnet, since almost no one uses it anymore. Etc.

Re: systrace removed? Why?

2016-04-25 Thread Luis Coronado 
Why not? In a more serious way, read misc@ and tech@ particuarly in the
subject about pledge.

-luis

On Monday, 25 April 2016,  wrote:

> Why?

systrace removed? Why?

2016-04-25 Thread arrowscript 
Why?