It's not cool to change security-related sysctl names

To: tech-security%netbsd.org@localhost
Subject: It's not cool to change security-related sysctl names
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Wed, 16 Jan 2013 11:25:35 -0500

Between NetBSD 5 and NetBSD 6, the name of the 'curtain' sysctl was
changed with no backwards compatibility.

The result is that systems upgraded to NetBSD 6, which set curtain in
/etc/sysctl.conf, like so:

security.models.bsd44.curtain=1

Will now fail to do so.  If their admins don't notice the warning message
at boot time, the system will come up and run but sensitive data may be
disclosed (presumably if people set curtain in sysctl.conf, they have good
reason for doing so).

This is not cool.  It might actually warrant an advisory.

-- 
 Thor Lancelot Simon                                          
tls%panix.com@localhost

        It's very complicated.  It's very cumbersome.  There's a
        lot of numbers involved with it.

Follow-Ups:
- Re: It's not cool to change security-related sysctl names
  - From: Jean-Yves Migeon

Prev by Date: firefox behaviour, www.haaretz.co.il, js firefox36 dies, ghost process marked?
Next by Date: Re: It's not cool to change security-related sysctl names
Previous by Thread: firefox behaviour, www.haaretz.co.il, js firefox36 dies, ghost process marked?
Next by Thread: Re: It's not cool to change security-related sysctl names
Indexes:

Home | Main Index | Thread Index | Old Index