Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Move security(8) to the section 7. Discussed on source-chang...
details: https://anonhg.NetBSD.org/src/rev/44b54ff671df
branches: trunk
changeset: 763386:44b54ff671df
user: jruoho <jruoho%NetBSD.org@localhost>
date: Fri Mar 18 15:21:56 2011 +0000
description:
Move security(8) to the section 7. Discussed on source-changes a while back.
Should address PR # 35718 at least partially.
diffstat:
distrib/sets/lists/man/mi | 11 +-
share/man/man7/Makefile | 4 +-
share/man/man7/intro.7 | 7 +-
share/man/man7/security.7 | 428 ++++++++++++++++++++++++++++++++++++++++++++++
share/man/man8/Makefile | 4 +-
share/man/man8/security.8 | 428 ----------------------------------------------
6 files changed, 444 insertions(+), 438 deletions(-)
diffs (truncated from 986 to 300 lines):
diff -r b80fe3cb942a -r 44b54ff671df distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Fri Mar 18 15:19:43 2011 +0000
+++ b/distrib/sets/lists/man/mi Fri Mar 18 15:21:56 2011 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1302 2011/03/17 02:35:28 joerg Exp $
+# $NetBSD: mi,v 1.1303 2011/03/18 15:21:56 jruoho Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -2032,6 +2032,7 @@
./usr/share/man/cat7/release.0 man-reference-catman .cat
./usr/share/man/cat7/rump_sp.0 man-reference-catman .cat
./usr/share/man/cat7/script.0 man-reference-catman .cat
+./usr/share/man/cat7/security.0 man-reference-catman .cat
./usr/share/man/cat7/setuid.0 man-reference-catman .cat
./usr/share/man/cat7/signal.0 man-reference-catman .cat
./usr/share/man/cat7/sticky.0 man-reference-catman .cat
@@ -2702,7 +2703,7 @@
./usr/share/man/cat8/schedctl.0 man-sysutil-catman .cat
./usr/share/man/cat8/scsictl.0 man-sysutil-catman .cat
./usr/share/man/cat8/sdpd.0 man-sysutil-catman .cat
-./usr/share/man/cat8/security.0 man-sys-catman .cat
+./usr/share/man/cat8/security.0 man-obsolete obsolete
./usr/share/man/cat8/sendmail.0 man-obsolete obsolete
./usr/share/man/cat8/services_mkdb.0 man-sysutil-catman .cat
./usr/share/man/cat8/sesd.0 man-sysutil-catman .cat
@@ -4704,6 +4705,7 @@
./usr/share/man/html7/release.html man-reference-htmlman html
./usr/share/man/html7/rump_sp.html man-reference-htmlman html
./usr/share/man/html7/script.html man-reference-htmlman html
+./usr/share/man/html7/security.html man-reference-htmlman html
./usr/share/man/html7/setuid.html man-reference-htmlman html
./usr/share/man/html7/signal.html man-reference-htmlman html
./usr/share/man/html7/sticky.html man-reference-htmlman html
@@ -5220,7 +5222,7 @@
./usr/share/man/html8/schedctl.html man-sysutil-htmlman html
./usr/share/man/html8/scsictl.html man-sysutil-htmlman html
./usr/share/man/html8/sdpd.html man-sysutil-htmlman html
-./usr/share/man/html8/security.html man-sys-htmlman html
+./usr/share/man/html8/security.html man-obsolete obsolete
./usr/share/man/html8/services_mkdb.html man-sysutil-htmlman html
./usr/share/man/html8/sesd.html man-sysutil-htmlman html
./usr/share/man/html8/setencstat.html man-sysutil-htmlman html
@@ -7356,6 +7358,7 @@
./usr/share/man/man7/re_format.7 man-reference-man .man
./usr/share/man/man7/release.7 man-reference-man .man
./usr/share/man/man7/script.7 man-reference-man .man
+./usr/share/man/man7/security.7 man-reference-man .man
./usr/share/man/man7/setuid.7 man-reference-man .man
./usr/share/man/man7/signal.7 man-reference-man .man
./usr/share/man/man7/sticky.7 man-reference-man .man
@@ -8027,7 +8030,7 @@
./usr/share/man/man8/schedctl.8 man-sysutil-man .man
./usr/share/man/man8/scsictl.8 man-sysutil-man .man
./usr/share/man/man8/sdpd.8 man-sysutil-man .man
-./usr/share/man/man8/security.8 man-sys-man .man
+./usr/share/man/man8/security.8 man-obsolete obsolete
./usr/share/man/man8/sendmail.8 man-obsolete obsolete
./usr/share/man/man8/services_mkdb.8 man-sysutil-man .man
./usr/share/man/man8/sesd.8 man-sysutil-man .man
diff -r b80fe3cb942a -r 44b54ff671df share/man/man7/Makefile
--- a/share/man/man7/Makefile Fri Mar 18 15:19:43 2011 +0000
+++ b/share/man/man7/Makefile Fri Mar 18 15:21:56 2011 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.26 2010/12/14 16:18:15 jruoho Exp $
+# $NetBSD: Makefile,v 1.27 2011/03/18 15:21:57 jruoho Exp $
# @(#)Makefile 8.1 (Berkeley) 6/5/93
# missing: eqnchar.7 man.7 ms.7 term.7
MAN= ascii.7 c.7 environ.7 glob.7 hier.7 hostname.7 intro.7 mailaddr.7 \
- module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 \
+ module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 security.7 \
script.7 setuid.7 signal.7 sticky.7 symlink.7 sysctl.7 \
tests.7
diff -r b80fe3cb942a -r 44b54ff671df share/man/man7/intro.7
--- a/share/man/man7/intro.7 Fri Mar 18 15:19:43 2011 +0000
+++ b/share/man/man7/intro.7 Fri Mar 18 15:21:56 2011 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: intro.7,v 1.18 2010/12/14 16:18:15 jruoho Exp $
+.\" $NetBSD: intro.7,v 1.19 2011/03/18 15:21:57 jruoho Exp $
.\"
.\" Copyright (c) 1983, 1990, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)intro.7 8.1 (Berkeley) 6/5/93
.\"
-.Dd December 14, 2010
+.Dd March 18, 2011
.Dt INTRO 7
.Os
.Sh NAME
@@ -88,6 +88,9 @@
releases and snapshots
.It Xr script 7
how interpreter scripts are executed
+.It Xr security 7
+security features available in
+.Nx
.It Xr setuid 7
checklist for security and setuid programs
.It Xr signal 7
diff -r b80fe3cb942a -r 44b54ff671df share/man/man7/security.7
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man7/security.7 Fri Mar 18 15:21:56 2011 +0000
@@ -0,0 +1,428 @@
+.\" $NetBSD: security.7,v 1.1 2011/03/18 15:21:57 jruoho Exp $
+.\"
+.\" Copyright (c) 2006, 2011 Elad Efrat <elad%NetBSD.org@localhost>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd March 18, 2011
+.Dt SECURITY 7
+.Os
+.Sh NAME
+.Nm security
+.Nd
+.Nx
+security features
+.Sh DESCRIPTION
+.Nx
+supports a variety of security features.
+Below is a brief description of them with some quick usage examples
+that will help you get started.
+.Pp
+Contents:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+Veriexec
+.Pq file integrity
+.It
+Exploit mitigation
+.It
+Per-user
+.Pa /tmp
+directory
+.It
+Information filtering
+.El
+.Sh VERIEXEC
+.Em Veriexec
+is a file integrity subsystem.
+.Pp
+For more information about it, and a quick guide on how to use it, please see
+.Xr veriexec 8 .
+.Pp
+In a nutshell, once enabled,
+.Em Veriexec
+can be started as follows:
+.Bd -literal -offset indent
+# veriexecgen \*[Am]\*[Am] veriexecctl load
+.Ed
+.Sh EXPLOIT MITIGATION
+.Nx
+incorporates some exploit mitigation features.
+The purpose of exploit mitigation features is to interfere
+with the way exploits work, in order to prevent them from succeeding.
+Due to that, some features may have other impacts on the system, so be sure to
+fully understand the implications of each feature.
+.Pp
+.Nx
+provides the following exploit mitigation features:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+.Tn PaX ASLR
+.Pq Address Space Layout Randomization .
+.It
+.Tn PaX MPROTECT
+.Xr ( mprotect 2
+restrictions)
+.It
+.Tn PaX SegvGuard
+.It
+.Xr gcc 1
+stack-smashing protection
+.Pq Tn SSP
+.It
+bounds checked libc functions
+.Pq Tn FORTIFY_SOURCE
+.It
+Protections against
+.Dv NULL
+pointer dereferences
+.El
+.Ss PaX ASLR
+.Em PaX ASLR
+implements Address Space Layout Randomization
+.Pq Tn ASLR ,
+meant to complement non-executable mappings.
+Its purpose is to harden prediction of the address space layout, namely
+location of library and application functions that can be used by an attacker
+to circumvent non-executable mappings by using a technique called
+.Dq return to library
+to bypass the need to write new code to (potentially executable) regions of
+memory.
+.Pp
+When
+.Em PaX ASLR
+is used, it is more likely the attacker will fail to predict the addresses of
+such functions, causing the application to segfault.
+To detect cases where an attacker might try and brute-force the return address
+of respawning services,
+.Em PaX Segvguard
+can be used (see below).
+.Pp
+For non-PIE
+.Pq Position Independent Executable
+executables, the
+.Nx
+.Em PaX ASLR
+implementation introduces randomization to the following memory regions:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+For
+.Tn PIE
+executables:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The program itself (exec base)
+.It
+All shared libraries
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX ASLR
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +A /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX ASLR
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.aslr.global=1
+.Ed
+.Ss PaX MPROTECT
+.Em PaX MPROTECT
+implements memory protection restrictions,
+meant to complement non-executable mappings.
+The purpose is to prevent situations where malicious code attempts to mark
+writable memory regions as executable, often by trashing arguments to an
+.Xr mprotect 2
+call.
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX MPROTECT
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +M /usr/sbin/sshd
+.Ed
Home |
Main Index |
Thread Index |
Old Index