Module Name: src
Committed By: jruoho
Date: Fri Mar 18 15:21:57 UTC 2011
Modified Files:
src/distrib/sets/lists/man: mi
src/share/man/man7: Makefile intro.7
src/share/man/man8: Makefile
Added Files:
src/share/man/man7: security.7
Removed Files:
src/share/man/man8: security.8
Log Message:
Move security(8) to the section 7. Discussed on source-changes a while back.
Should address PR # 35718 at least partially.
To generate a diff of this commit:
cvs rdiff -u -r1.1302 -r1.1303 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.26 -r1.27 src/share/man/man7/Makefile
cvs rdiff -u -r1.18 -r1.19 src/share/man/man7/intro.7
cvs rdiff -u -r0 -r1.1 src/share/man/man7/security.7
cvs rdiff -u -r1.99 -r1.100 src/share/man/man8/Makefile
cvs rdiff -u -r1.28 -r0 src/share/man/man8/security.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/man/mi
diff -u src/distrib/sets/lists/man/mi:1.1302 src/distrib/sets/lists/man/mi:1.1303
--- src/distrib/sets/lists/man/mi:1.1302 Thu Mar 17 02:35:28 2011
+++ src/distrib/sets/lists/man/mi Fri Mar 18 15:21:56 2011
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1302 2011/03/17 02:35:28 joerg Exp $
+# $NetBSD: mi,v 1.1303 2011/03/18 15:21:56 jruoho Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -2032,6 +2032,7 @@
./usr/share/man/cat7/release.0 man-reference-catman .cat
./usr/share/man/cat7/rump_sp.0 man-reference-catman .cat
./usr/share/man/cat7/script.0 man-reference-catman .cat
+./usr/share/man/cat7/security.0 man-reference-catman .cat
./usr/share/man/cat7/setuid.0 man-reference-catman .cat
./usr/share/man/cat7/signal.0 man-reference-catman .cat
./usr/share/man/cat7/sticky.0 man-reference-catman .cat
@@ -2702,7 +2703,7 @@
./usr/share/man/cat8/schedctl.0 man-sysutil-catman .cat
./usr/share/man/cat8/scsictl.0 man-sysutil-catman .cat
./usr/share/man/cat8/sdpd.0 man-sysutil-catman .cat
-./usr/share/man/cat8/security.0 man-sys-catman .cat
+./usr/share/man/cat8/security.0 man-obsolete obsolete
./usr/share/man/cat8/sendmail.0 man-obsolete obsolete
./usr/share/man/cat8/services_mkdb.0 man-sysutil-catman .cat
./usr/share/man/cat8/sesd.0 man-sysutil-catman .cat
@@ -4704,6 +4705,7 @@
./usr/share/man/html7/release.html man-reference-htmlman html
./usr/share/man/html7/rump_sp.html man-reference-htmlman html
./usr/share/man/html7/script.html man-reference-htmlman html
+./usr/share/man/html7/security.html man-reference-htmlman html
./usr/share/man/html7/setuid.html man-reference-htmlman html
./usr/share/man/html7/signal.html man-reference-htmlman html
./usr/share/man/html7/sticky.html man-reference-htmlman html
@@ -5220,7 +5222,7 @@
./usr/share/man/html8/schedctl.html man-sysutil-htmlman html
./usr/share/man/html8/scsictl.html man-sysutil-htmlman html
./usr/share/man/html8/sdpd.html man-sysutil-htmlman html
-./usr/share/man/html8/security.html man-sys-htmlman html
+./usr/share/man/html8/security.html man-obsolete obsolete
./usr/share/man/html8/services_mkdb.html man-sysutil-htmlman html
./usr/share/man/html8/sesd.html man-sysutil-htmlman html
./usr/share/man/html8/setencstat.html man-sysutil-htmlman html
@@ -7356,6 +7358,7 @@
./usr/share/man/man7/re_format.7 man-reference-man .man
./usr/share/man/man7/release.7 man-reference-man .man
./usr/share/man/man7/script.7 man-reference-man .man
+./usr/share/man/man7/security.7 man-reference-man .man
./usr/share/man/man7/setuid.7 man-reference-man .man
./usr/share/man/man7/signal.7 man-reference-man .man
./usr/share/man/man7/sticky.7 man-reference-man .man
@@ -8027,7 +8030,7 @@
./usr/share/man/man8/schedctl.8 man-sysutil-man .man
./usr/share/man/man8/scsictl.8 man-sysutil-man .man
./usr/share/man/man8/sdpd.8 man-sysutil-man .man
-./usr/share/man/man8/security.8 man-sys-man .man
+./usr/share/man/man8/security.8 man-obsolete obsolete
./usr/share/man/man8/sendmail.8 man-obsolete obsolete
./usr/share/man/man8/services_mkdb.8 man-sysutil-man .man
./usr/share/man/man8/sesd.8 man-sysutil-man .man
Index: src/share/man/man7/Makefile
diff -u src/share/man/man7/Makefile:1.26 src/share/man/man7/Makefile:1.27
--- src/share/man/man7/Makefile:1.26 Tue Dec 14 16:18:15 2010
+++ src/share/man/man7/Makefile Fri Mar 18 15:21:57 2011
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.26 2010/12/14 16:18:15 jruoho Exp $
+# $NetBSD: Makefile,v 1.27 2011/03/18 15:21:57 jruoho Exp $
# @(#)Makefile 8.1 (Berkeley) 6/5/93
# missing: eqnchar.7 man.7 ms.7 term.7
MAN= ascii.7 c.7 environ.7 glob.7 hier.7 hostname.7 intro.7 mailaddr.7 \
- module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 \
+ module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 security.7 \
script.7 setuid.7 signal.7 sticky.7 symlink.7 sysctl.7 \
tests.7
Index: src/share/man/man7/intro.7
diff -u src/share/man/man7/intro.7:1.18 src/share/man/man7/intro.7:1.19
--- src/share/man/man7/intro.7:1.18 Tue Dec 14 16:18:15 2010
+++ src/share/man/man7/intro.7 Fri Mar 18 15:21:57 2011
@@ -1,4 +1,4 @@
-.\" $NetBSD: intro.7,v 1.18 2010/12/14 16:18:15 jruoho Exp $
+.\" $NetBSD: intro.7,v 1.19 2011/03/18 15:21:57 jruoho Exp $
.\"
.\" Copyright (c) 1983, 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)intro.7 8.1 (Berkeley) 6/5/93
.\"
-.Dd December 14, 2010
+.Dd March 18, 2011
.Dt INTRO 7
.Os
.Sh NAME
@@ -88,6 +88,9 @@
releases and snapshots
.It Xr script 7
how interpreter scripts are executed
+.It Xr security 7
+security features available in
+.Nx
.It Xr setuid 7
checklist for security and setuid programs
.It Xr signal 7
Index: src/share/man/man8/Makefile
diff -u src/share/man/man8/Makefile:1.99 src/share/man/man8/Makefile:1.100
--- src/share/man/man8/Makefile:1.99 Wed Jan 26 11:25:51 2011
+++ src/share/man/man8/Makefile Fri Mar 18 15:21:57 2011
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.99 2011/01/26 11:25:51 nisimura Exp $
+# $NetBSD: Makefile,v 1.100 2011/03/18 15:21:57 jruoho Exp $
# from: @(#)Makefile 8.1 (Berkeley) 6/5/93
MAN= MAKEDEV.8 MAKEDEV.local.8 afterboot.8 boot.8 compat_30.8 \
@@ -7,7 +7,7 @@
compat_netbsd32.8 compat_osf1.8 compat_pecoff.8 compat_sunos.8 \
compat_svr4.8 compat_ultrix.8 diskless.8 hpcboot.8 \
intro.8 nis.8 pam.8 rc.8 rc.subr.8 rescue.8 \
- security.8 sysinst.8 veriexec.8 \
+ sysinst.8 veriexec.8 \
wizd.8
MLINKS+=MAKEDEV.8 makedev.8
MLINKS+=MAKEDEV.local.8 makedev.local.8
Added files:
Index: src/share/man/man7/security.7
diff -u /dev/null src/share/man/man7/security.7:1.1
--- /dev/null Fri Mar 18 15:21:57 2011
+++ src/share/man/man7/security.7 Fri Mar 18 15:21:57 2011
@@ -0,0 +1,428 @@
+.\" $NetBSD: security.7,v 1.1 2011/03/18 15:21:57 jruoho Exp $
+.\"
+.\" Copyright (c) 2006, 2011 Elad Efrat <[email protected]>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd March 18, 2011
+.Dt SECURITY 7
+.Os
+.Sh NAME
+.Nm security
+.Nd
+.Nx
+security features
+.Sh DESCRIPTION
+.Nx
+supports a variety of security features.
+Below is a brief description of them with some quick usage examples
+that will help you get started.
+.Pp
+Contents:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+Veriexec
+.Pq file integrity
+.It
+Exploit mitigation
+.It
+Per-user
+.Pa /tmp
+directory
+.It
+Information filtering
+.El
+.Sh VERIEXEC
+.Em Veriexec
+is a file integrity subsystem.
+.Pp
+For more information about it, and a quick guide on how to use it, please see
+.Xr veriexec 8 .
+.Pp
+In a nutshell, once enabled,
+.Em Veriexec
+can be started as follows:
+.Bd -literal -offset indent
+# veriexecgen \*[Am]\*[Am] veriexecctl load
+.Ed
+.Sh EXPLOIT MITIGATION
+.Nx
+incorporates some exploit mitigation features.
+The purpose of exploit mitigation features is to interfere
+with the way exploits work, in order to prevent them from succeeding.
+Due to that, some features may have other impacts on the system, so be sure to
+fully understand the implications of each feature.
+.Pp
+.Nx
+provides the following exploit mitigation features:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+.Tn PaX ASLR
+.Pq Address Space Layout Randomization .
+.It
+.Tn PaX MPROTECT
+.Xr ( mprotect 2
+restrictions)
+.It
+.Tn PaX SegvGuard
+.It
+.Xr gcc 1
+stack-smashing protection
+.Pq Tn SSP
+.It
+bounds checked libc functions
+.Pq Tn FORTIFY_SOURCE
+.It
+Protections against
+.Dv NULL
+pointer dereferences
+.El
+.Ss PaX ASLR
+.Em PaX ASLR
+implements Address Space Layout Randomization
+.Pq Tn ASLR ,
+meant to complement non-executable mappings.
+Its purpose is to harden prediction of the address space layout, namely
+location of library and application functions that can be used by an attacker
+to circumvent non-executable mappings by using a technique called
+.Dq return to library
+to bypass the need to write new code to (potentially executable) regions of
+memory.
+.Pp
+When
+.Em PaX ASLR
+is used, it is more likely the attacker will fail to predict the addresses of
+such functions, causing the application to segfault.
+To detect cases where an attacker might try and brute-force the return address
+of respawning services,
+.Em PaX Segvguard
+can be used (see below).
+.Pp
+For non-PIE
+.Pq Position Independent Executable
+executables, the
+.Nx
+.Em PaX ASLR
+implementation introduces randomization to the following memory regions:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+For
+.Tn PIE
+executables:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The program itself (exec base)
+.It
+All shared libraries
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX ASLR
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +A /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX ASLR
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.aslr.global=1
+.Ed
+.Ss PaX MPROTECT
+.Em PaX MPROTECT
+implements memory protection restrictions,
+meant to complement non-executable mappings.
+The purpose is to prevent situations where malicious code attempts to mark
+writable memory regions as executable, often by trashing arguments to an
+.Xr mprotect 2
+call.
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX MPROTECT
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +M /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX MPROTECT
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.mprotect.global=1
+.Ed
+.Ss PaX Segvguard
+.Em PaX Segvguard
+monitors the number of segmentation faults in a program on a per-user basis,
+in an attempt to detect on-going exploitation attempts and possibly prevent
+them.
+For instance,
+.Em PaX Segvguard
+can help detect when an attacker tries to brute-force a function
+return address, when attempting to perform a return-to-lib attack.
+.Pp
+.Em PaX Segvguard
+consumes kernel memory, so use it wisely.
+While it provides rate-limiting protections, records are tracked for all
+users on a per-program basis, meaning that irresponsible use may result in
+tracking all segmentation faults in the system, possibly consuming all kernel
+memory.
+.Pp
+For this reason, it is highly recommended to have
+.Em PaX Segvguard
+enabled explicitly only for network services or
+other processes deemed as critical to system security.
+Enabling
+.Em PaX Segvguard
+explicitly works like this:
+.Bd -literal -offset indent
+# paxctl +G /usr/sbin/sshd
+.Ed
+.Pp
+However, a global knob is still provided, for use in strict environments
+with no local users (for example, some network appliances, embedded devices,
+and firewalls)
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.global=1
+.Ed
+.Pp
+Explicitly disabling
+.Em PaX Segvguard
+is also possible:
+.Bd -literal -offset indent
+# paxctl +g /bin/ls
+.Ed
+.Pp
+In addition,
+.Em PaX Segvguard
+provides several tunable options.
+For example, to limit a program to 5 segmentation faults from the same user in
+a 60 second timeframe:
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.max_crashes=5
+# sysctl -w security.pax.segvguard.expiry_timeout=60
+.Ed
+.Pp
+The number of seconds a user will be suspended from running the culprit
+program is also configurable.
+For example, 10 minutes seem like a sane setting:
+.Bd -literal -offset indent
+# sysctl -w security.pax.segvguard.suspend_timeout=600
+.Ed
+.Ss GCC Stack Smashing Protection ( SSP )
+As of
+.Nx 4.0 ,
+.Xr gcc 1
+includes
+.Em SSP ,
+a set of compiler extensions to raise the bar on exploitation attempts by
+detecting corruption of variables and buffer overruns, which may be used to
+affect program control flow.
+.Pp
+Upon detection of a buffer overrun,
+.Em SSP
+will immediately abort execution of the program and send a log message
+to
+.Xr syslog 3 .
+.Pp
+The system (userland and kernel) can be built with
+.Em SSP
+by using the
+.Dq USE_SSP
+flag in
+.Pa /etc/mk.conf :
+.Bd -literal -offset indent
+USE_SSP=yes
+.Ed
+.Pp
+You are encouraged to use
+.Em SSP
+for software you build, by providing one of the
+.Fl fstack-protector
+or
+.Fl fstack-protector-all
+flags to
+.Xr gcc 1 .
+Keep in mind, however, that
+.Em SSP
+will not work for functions that make use of
+.Xr alloca 3 ,
+as the latter modifies the stack size during run-time, while
+.Em SSP
+relies on it being a compile-time static.
+.Pp
+Use of
+.Em SSP
+is especially encouraged on platforms without per-page execute bit granularity
+such as i386.
+As of
+.Nx 6.0 ,
+.Em SSP
+is used by default on i386 and amd64 architectures.
+.Ss FORTIFY_SOURCE
+The so-called
+.Em FORTIFY_SOURCE
+is a relatively simple technique to detect a subset of buffer overflows
+before these can do damage.
+It is integrated to
+.Xr gcc 1
+together with some common memory and string functions in the standard
+C library of
+.Nx .
+.Pp
+The underlying idea builds on the observation that there are cases where
+the compiler knows the size of a buffer.
+If a buffer overflow is suspected in a function that does little or no
+bounds checking, either a compile time warning can be issued or a
+safer substitute function can be used at runtime.
+Refer to
+.Xr ssp 3
+for additional details.
+.Pp
+The
+.Em FORTIFY_SOURCE
+is enabled by default in some parts of the
+.Nx
+source tree.
+It is also possible to explicitly enable it by defining
+the following in
+.Xr mk.conf 5 :
+.Bd -literal -offset indent
+USE_FORT=yes
+.Ed
+.Ss Protections against NULL pointer dereferences
+A certain class of attacks rely on kernel bugs that dereference
+.Dv NULL
+pointers.
+If user processes are allowed to map the virtual address 0 with
+.Xr mmap 2
+or by other means, there is a risk that code or data
+can be injected into the kernel address space.
+.Pp
+In
+.Nx
+it is possible to restrict whether user processes are
+allowed to make mappings at the zero address.
+By default, address 0 mappings are restricted
+on the i386 and amd64 architectures.
+It is however known that some third-party programs
+may not function properly with the restriction.
+Such mappings can be allowed either by using the
+.Dv USER_VA0_DISABLE_DEFAULT
+kernel configuration
+.Xr option 4
+or by changing the following variable at runtime:
+.Bd -literal -offset indent
+# sysctl -w vm.user_va0_disable=0
+.Ed
+.Pp
+Note that if
+.Em securelevel
+(see
+.Xr secmodel_securelevel 9 )
+is greater than zero, it is not possible to change the
+.Xr sysctl 8
+variable.
+.Sh PER-USER TEMPORARY STORAGE
+It is possible to configure per-user temporary storage to avoid potential
+security issues (race conditions, etc.) in programs that do not make secure
+usage of
+.Pa /tmp .
+.Pp
+To enable per-user temporary storage, add the following line to
+.Xr rc.conf 5 :
+.Bd -literal -offset indent
+per_user_tmp=YES
+.Ed
+.Pp
+If
+.Pa /tmp
+is a mount point, you will also need to update its
+.Xr fstab 5
+entry to use
+.Dq /private/tmp
+(or whatever directory you want, if you override the default using the
+.Dq per_user_tmp_dir
+.Xr rc.conf 5
+keyword) instead of
+.Dq /tmp .
+.Pp
+Following that, run:
+.Bd -literal -offset indent
+# /etc/rc.d/perusertmp start
+.Ed
+.Pp
+The per-user temporary storage is implemented by using
+.Dq magic symlinks .
+These are further described in
+.Xr symlink 7 .
+.Sh INFORMATION FILTERING
+.Nx
+provides administrators the ability to restrict information passed from
+the kernel to userland so that users can only view information they
+.Dq own .
+.Pp
+The hooks that manage this restriction are located in various parts of the
+system and affect programs such as
+.Xr ps 1 ,
+.Xr fstat 1 ,
+and
+.Xr netstat 1 .
+Information filtering is enabled as follows:
+.Bd -literal -offset indent
+# sysctl -w security.curtain=1
+.Ed
+.Sh SEE ALSO
+.Xr ssp 3 ,
+.Xr options 4 ,
+.Xr paxctl 8 ,
+.Xr sysctl 8 ,
+.Xr veriexec 8
+.Sh AUTHORS
+.An Elad Efrat Aq [email protected]
