[src/trunk]: src/share/man/man8 Small improvements to wording and markup.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/share/man/man8 Small improvements to wording and markup.
From: jruoho <jruoho%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 18:53:26 +0000

details:   https://anonhg.NetBSD.org/src/rev/9cc1e58f2f33
branches:  trunk
changeset: 754120:9cc1e58f2f33
user:      jruoho <jruoho%NetBSD.org@localhost>
date:      Wed Apr 21 05:05:07 2010 +0000

description:
Small improvements to wording and markup.
Note also the default use of SSP on x86.

diffstat:

 share/man/man8/security.8 |  63 ++++++++++++++++++++++++++++------------------
 1 files changed, 38 insertions(+), 25 deletions(-)

diffs (152 lines):

diff -r c27b97f2d914 -r 9cc1e58f2f33 share/man/man8/security.8
--- a/share/man/man8/security.8 Wed Apr 21 04:25:27 2010 +0000
+++ b/share/man/man8/security.8 Wed Apr 21 05:05:07 2010 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: security.8,v 1.20 2010/04/19 12:59:36 jruoho Exp $
+.\" $NetBSD: security.8,v 1.21 2010/04/21 05:05:07 jruoho Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd April 19, 2010
+.Dd April 21, 2010
 .Dt SECURITY 8
 .Os
 .Sh NAME
@@ -40,9 +40,10 @@
 that will help you get started.
 .Pp
 Contents:
-.Bl -hyphen -compact
+.Bl -hyphen -compact -offset indent
 .It
-Veriexec (file integrity)
+Veriexec
+.Pq file integrity
 .It
 Exploit mitigation
 .It
@@ -68,30 +69,33 @@
 .Sh EXPLOIT MITIGATION
 .Nx
 incorporates some exploit mitigation features.
-The purpose of exploit mitigation features is to interfere with the way exploits
-work, in order to prevent them from succeeding.
-Due to that, some features may have other impact on the system, so be sure to
+The purpose of exploit mitigation features is to interfere
+with the way exploits work, in order to prevent them from succeeding.
+Due to that, some features may have other impacts on the system, so be sure to
 fully understand the implications of each feature.
 .Pp
 .Nx
 provides the following exploit mitigation features:
-.Bl -hyphen -compact
+.Pp
+.Bl -hyphen -compact -offset indent
 .It
-PaX ASLR (Address Space Layout Randomization)
+.Tn PaX ASLR
+.Pq Address Space Layout Randomization .
 .It
-PaX MPROTECT
+.Tn PaX MPROTECT
 .Xr ( mprotect 2
 restrictions)
 .It
-PaX SegvGuard
+.Tn PaX SegvGuard
 .It
 .Xr gcc 1
 stack-smashing protection (SSP)
 .El
 .Ss PaX ASLR
 .Em PaX ASLR
-implements Address Space Layout Randomization, meant to complement
-non-executable mappings.
+implements Address Space Layout Randomization
+.Pq Tn ASLR ,
+meant to complement non-executable mappings.
 Its purpose is to harden prediction of the address space layout, namely
 location of library and application functions that can be used by an attacker
 to circumvent non-executable mappings by using a technique called
@@ -108,20 +112,25 @@
 .Em PaX Segvguard
 can be used (see below).
 .Pp
-For non-PIE (Position Independent Executable) executables,
+For non-PIE
+.Pq Position Independent Executable executables ,
 the
 .Nx
 .Em PaX ASLR
 implementation introduces randomization to the following memory regions:
-.Bl -enum -compact
+.Pp
+.Bl -enum -compact -offset indent
 .It
 The data segment
 .It
 The stack
 .El
 .Pp
-For PIE executables:
-.Bl -enum -compact
+For
+.Tn PIE
+executables:
+.Pp
+.Bl -enum -compact -offset indent
 .It
 The program itself (exec base)
 .It
@@ -153,9 +162,9 @@
 .Ed
 .Ss PaX MPROTECT
 .Em PaX MPROTECT
-implements memory protection restrictions, meant to complement non-executable
-mappings.
-Their purpose is to prevent situations where malicious code attempts to mark
+implements memory protection restrictions,
+meant to complement non-executable mappings.
+The purpose is to prevent situations where malicious code attempts to mark
 writable memory regions as executable, often by trashing arguments to an
 .Xr mprotect 2
 call.
@@ -198,7 +207,8 @@
 .Pp
 For this reason, it is highly recommended to have
 .Em PaX Segvguard
-enabled explicitly only for network services, etc.
+enabled explicitly only for network services or
+other processes deemed as critical to system security.
 Enabling
 .Em PaX Segvguard
 explicitly works like this:
@@ -207,8 +217,8 @@
 .Ed
 .Pp
 However, a global knob is still provided, for use in strict environments
-with no local users (some network appliances, embedded devices, firewalls,
-etc.):
+with no local users (for example, some network appliances, embedded devices,
+and firewalls)
 .Bd -literal -offset indent
 # sysctl -w security.pax.segvguard.global=1
 .Ed
@@ -281,8 +291,11 @@
 Use of
 .Em SSP
 is especially encouraged on platforms without per-page execute bit granularity
-such as
-.Em i386 .
+such as i386.
+As of
+.Nx 6.0 ,
+.Em SSP
+is used by default on i386 and amd64 architectures.
 .Sh PER-USER TEMPORARY STORAGE
 It is possible to configure per-user temporary storage to avoid potential
 security issues (race conditions, etc.) in programs that do not make secure

Prev by Date: [src/trunk]: src/sys/dev/pci Change sc_pil_intr_enable from an int to a bool....
Next by Date: [src/trunk]: src/usr.bin/make If we do .export (all) and have any variables t...
Previous by Thread: [src/trunk]: src/sys/dev/pci Change sc_pil_intr_enable from an int to a bool....
Next by Thread: [src/trunk]: src/usr.bin/make If we do .export (all) and have any variables t...
Indexes:

Home | Main Index | Thread Index | Old Index