[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: It's not cool to change security-related sysctl names
Le 16/01/13 17:25, Thor Lancelot Simon a écrit :
Between NetBSD 5 and NetBSD 6, the name of the 'curtain' sysctl was
changed with no backwards compatibility.
The result is that systems upgraded to NetBSD 6, which set curtain in
/etc/sysctl.conf, like so:
Will now fail to do so. If their admins don't notice the warning message
at boot time, the system will come up and run but sensitive data may be
disclosed (presumably if people set curtain in sysctl.conf, they have good
reason for doing so).
This is not cool. It might actually warrant an advisory.
I can't remember the exact details behind, however the curtain (and
securelevel BTW) sysctls were used through "security.curtain" and
"kern.securelevel" as shown in security(7). So it seems that this
regression went unnoticed.
When this change was made (securelevel and curtain moving to the
'extensions' secmodel(9)), the old sysctls remained but not the 'bsd44'
Left over on my side. I'll fix it and ask for a pullup, sorry.
Main Index |
Thread Index |