Re: Improving security for pkgsrc

[Greg Troxel <gdt%ir.bbn.com@localhost>]

Pierre Pronchery <khorben%defora.org@localhost> writes:

> This is already what this patch does, in mk/pax.mk:
>
>  19 . if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \
>  20         empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64)
>  21 PAXCTL?=        /usr/sbin/paxctl
>  22 . endif

It seems that paxctl is supported on multiple systems, so that should be
in a platform file.

> Or did you mean something else?

Probably he meant the decision to run paxctl and mark binaries.   That
would straightforwardly need a variable to enable it for mk.conf, and
then there could be per os/arch/abi to enable it by default if we do that.

> If you speak about enabling ASLR globally in NetBSD, this involves the
> kernel and base system, not pkgsrc. Therefore it will be a different
> debate, taking place on another mailing-list (tech-kern probably). This
> change should have no impact on the functionality of the packages
> modified by paxctl(8) where supported (NetBSD/amd64 and NetBSD/i386 so
> far), except for being marked as not supporting PaX.

Presumably you are meaning that having the flags enabled when the OS
doesn't have ASLR enabled does nothing, and is therefore safe, but you
didn't quite say that.

However, if someone is starting to turn things on for a platform where
this is not known to be solid, a reasonable expectation would be that
random pkgsrc stuff would not be enabled.

> In the case of packages setting NOT_PAX_ASLR_SAFE or
> NOT_PAX_MPROTECT_SAFE, it can easily be refined per package for each
> platform where it is known to run fine. This will happen typically for
> Linux, where ASLR is already well supported (grsecurity...), and most
> probably for OpenBSD. It can even be set per executable actually.
>
> As I mentioned, I will get in touch with the respective package
> maintainers to get these parameters set.

Please explain more clearly; I'm having trouble following.