Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src Move security(8) to the section 7. Discussed on source-chang...



details:   https://anonhg.NetBSD.org/src/rev/44b54ff671df
branches:  trunk
changeset: 763386:44b54ff671df
user:      jruoho <jruoho%NetBSD.org@localhost>
date:      Fri Mar 18 15:21:56 2011 +0000

description:
Move security(8) to the section 7. Discussed on source-changes a while back.
Should address PR # 35718 at least partially.

diffstat:

 distrib/sets/lists/man/mi |   11 +-
 share/man/man7/Makefile   |    4 +-
 share/man/man7/intro.7    |    7 +-
 share/man/man7/security.7 |  428 ++++++++++++++++++++++++++++++++++++++++++++++
 share/man/man8/Makefile   |    4 +-
 share/man/man8/security.8 |  428 ----------------------------------------------
 6 files changed, 444 insertions(+), 438 deletions(-)

diffs (truncated from 986 to 300 lines):

diff -r b80fe3cb942a -r 44b54ff671df distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Fri Mar 18 15:19:43 2011 +0000
+++ b/distrib/sets/lists/man/mi Fri Mar 18 15:21:56 2011 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1302 2011/03/17 02:35:28 joerg Exp $
+# $NetBSD: mi,v 1.1303 2011/03/18 15:21:56 jruoho Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -2032,6 +2032,7 @@
 ./usr/share/man/cat7/release.0                 man-reference-catman    .cat
 ./usr/share/man/cat7/rump_sp.0                 man-reference-catman    .cat
 ./usr/share/man/cat7/script.0                  man-reference-catman    .cat
+./usr/share/man/cat7/security.0                        man-reference-catman    .cat
 ./usr/share/man/cat7/setuid.0                  man-reference-catman    .cat
 ./usr/share/man/cat7/signal.0                  man-reference-catman    .cat
 ./usr/share/man/cat7/sticky.0                  man-reference-catman    .cat
@@ -2702,7 +2703,7 @@
 ./usr/share/man/cat8/schedctl.0                        man-sysutil-catman      .cat
 ./usr/share/man/cat8/scsictl.0                 man-sysutil-catman      .cat
 ./usr/share/man/cat8/sdpd.0                    man-sysutil-catman      .cat
-./usr/share/man/cat8/security.0                        man-sys-catman          .cat
+./usr/share/man/cat8/security.0                        man-obsolete            obsolete
 ./usr/share/man/cat8/sendmail.0                        man-obsolete            obsolete
 ./usr/share/man/cat8/services_mkdb.0           man-sysutil-catman      .cat
 ./usr/share/man/cat8/sesd.0                    man-sysutil-catman      .cat
@@ -4704,6 +4705,7 @@
 ./usr/share/man/html7/release.html             man-reference-htmlman   html
 ./usr/share/man/html7/rump_sp.html             man-reference-htmlman   html
 ./usr/share/man/html7/script.html              man-reference-htmlman   html
+./usr/share/man/html7/security.html            man-reference-htmlman   html
 ./usr/share/man/html7/setuid.html              man-reference-htmlman   html
 ./usr/share/man/html7/signal.html              man-reference-htmlman   html
 ./usr/share/man/html7/sticky.html              man-reference-htmlman   html
@@ -5220,7 +5222,7 @@
 ./usr/share/man/html8/schedctl.html            man-sysutil-htmlman     html
 ./usr/share/man/html8/scsictl.html             man-sysutil-htmlman     html
 ./usr/share/man/html8/sdpd.html                        man-sysutil-htmlman     html
-./usr/share/man/html8/security.html            man-sys-htmlman         html
+./usr/share/man/html8/security.html            man-obsolete            obsolete
 ./usr/share/man/html8/services_mkdb.html       man-sysutil-htmlman     html
 ./usr/share/man/html8/sesd.html                        man-sysutil-htmlman     html
 ./usr/share/man/html8/setencstat.html          man-sysutil-htmlman     html
@@ -7356,6 +7358,7 @@
 ./usr/share/man/man7/re_format.7               man-reference-man       .man
 ./usr/share/man/man7/release.7                 man-reference-man       .man
 ./usr/share/man/man7/script.7                  man-reference-man       .man
+./usr/share/man/man7/security.7                        man-reference-man       .man
 ./usr/share/man/man7/setuid.7                  man-reference-man       .man
 ./usr/share/man/man7/signal.7                  man-reference-man       .man
 ./usr/share/man/man7/sticky.7                  man-reference-man       .man
@@ -8027,7 +8030,7 @@
 ./usr/share/man/man8/schedctl.8                        man-sysutil-man         .man
 ./usr/share/man/man8/scsictl.8                 man-sysutil-man         .man
 ./usr/share/man/man8/sdpd.8                    man-sysutil-man         .man
-./usr/share/man/man8/security.8                        man-sys-man             .man
+./usr/share/man/man8/security.8                        man-obsolete            obsolete
 ./usr/share/man/man8/sendmail.8                        man-obsolete            obsolete
 ./usr/share/man/man8/services_mkdb.8           man-sysutil-man         .man
 ./usr/share/man/man8/sesd.8                    man-sysutil-man         .man
diff -r b80fe3cb942a -r 44b54ff671df share/man/man7/Makefile
--- a/share/man/man7/Makefile   Fri Mar 18 15:19:43 2011 +0000
+++ b/share/man/man7/Makefile   Fri Mar 18 15:21:56 2011 +0000
@@ -1,10 +1,10 @@
-#      $NetBSD: Makefile,v 1.26 2010/12/14 16:18:15 jruoho Exp $
+#      $NetBSD: Makefile,v 1.27 2011/03/18 15:21:57 jruoho Exp $
 #      @(#)Makefile    8.1 (Berkeley) 6/5/93
 
 # missing: eqnchar.7 man.7 ms.7 term.7
 
 MAN=   ascii.7 c.7 environ.7 glob.7 hier.7 hostname.7 intro.7 mailaddr.7 \
-       module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7  \
+       module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7  security.7 \
        script.7 setuid.7 signal.7 sticky.7 symlink.7 sysctl.7 \
        tests.7
 
diff -r b80fe3cb942a -r 44b54ff671df share/man/man7/intro.7
--- a/share/man/man7/intro.7    Fri Mar 18 15:19:43 2011 +0000
+++ b/share/man/man7/intro.7    Fri Mar 18 15:21:56 2011 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: intro.7,v 1.18 2010/12/14 16:18:15 jruoho Exp $
+.\"    $NetBSD: intro.7,v 1.19 2011/03/18 15:21:57 jruoho Exp $
 .\"
 .\" Copyright (c) 1983, 1990, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)intro.7    8.1 (Berkeley) 6/5/93
 .\"
-.Dd December 14, 2010
+.Dd March 18, 2011
 .Dt INTRO 7
 .Os
 .Sh NAME
@@ -88,6 +88,9 @@
 releases and snapshots
 .It Xr script 7
 how interpreter scripts are executed
+.It Xr security 7
+security features available in
+.Nx
 .It Xr setuid 7
 checklist for security and setuid programs
 .It Xr signal 7
diff -r b80fe3cb942a -r 44b54ff671df share/man/man7/security.7
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man7/security.7 Fri Mar 18 15:21:56 2011 +0000
@@ -0,0 +1,428 @@
+.\" $NetBSD: security.7,v 1.1 2011/03/18 15:21:57 jruoho Exp $
+.\"
+.\" Copyright (c) 2006, 2011 Elad Efrat <elad%NetBSD.org@localhost>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd March 18, 2011
+.Dt SECURITY 7
+.Os
+.Sh NAME
+.Nm security
+.Nd
+.Nx
+security features
+.Sh DESCRIPTION
+.Nx
+supports a variety of security features.
+Below is a brief description of them with some quick usage examples
+that will help you get started.
+.Pp
+Contents:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+Veriexec
+.Pq file integrity
+.It
+Exploit mitigation
+.It
+Per-user
+.Pa /tmp
+directory
+.It
+Information filtering
+.El
+.Sh VERIEXEC
+.Em Veriexec
+is a file integrity subsystem.
+.Pp
+For more information about it, and a quick guide on how to use it, please see
+.Xr veriexec 8 .
+.Pp
+In a nutshell, once enabled,
+.Em Veriexec
+can be started as follows:
+.Bd -literal -offset indent
+# veriexecgen \*[Am]\*[Am] veriexecctl load
+.Ed
+.Sh EXPLOIT MITIGATION
+.Nx
+incorporates some exploit mitigation features.
+The purpose of exploit mitigation features is to interfere
+with the way exploits work, in order to prevent them from succeeding.
+Due to that, some features may have other impacts on the system, so be sure to
+fully understand the implications of each feature.
+.Pp
+.Nx
+provides the following exploit mitigation features:
+.Pp
+.Bl -hyphen -compact -offset indent
+.It
+.Tn PaX ASLR
+.Pq Address Space Layout Randomization .
+.It
+.Tn PaX MPROTECT
+.Xr ( mprotect 2
+restrictions)
+.It
+.Tn PaX SegvGuard
+.It
+.Xr gcc 1
+stack-smashing protection
+.Pq Tn SSP
+.It
+bounds checked libc functions
+.Pq Tn FORTIFY_SOURCE
+.It
+Protections against
+.Dv NULL
+pointer dereferences
+.El
+.Ss PaX ASLR
+.Em PaX ASLR
+implements Address Space Layout Randomization
+.Pq Tn ASLR ,
+meant to complement non-executable mappings.
+Its purpose is to harden prediction of the address space layout, namely
+location of library and application functions that can be used by an attacker
+to circumvent non-executable mappings by using a technique called
+.Dq return to library
+to bypass the need to write new code to (potentially executable) regions of
+memory.
+.Pp
+When
+.Em PaX ASLR
+is used, it is more likely the attacker will fail to predict the addresses of
+such functions, causing the application to segfault.
+To detect cases where an attacker might try and brute-force the return address
+of respawning services,
+.Em PaX Segvguard
+can be used (see below).
+.Pp
+For non-PIE
+.Pq Position Independent Executable
+executables, the
+.Nx
+.Em PaX ASLR
+implementation introduces randomization to the following memory regions:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+For
+.Tn PIE
+executables:
+.Pp
+.Bl -enum -compact -offset indent
+.It
+The program itself (exec base)
+.It
+All shared libraries
+.It
+The data segment
+.It
+The stack
+.El
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX ASLR
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +A /usr/sbin/sshd
+.Ed
+.Pp
+Enabling
+.Em PaX ASLR
+globally:
+.Bd -literal -offset indent
+# sysctl -w security.pax.aslr.global=1
+.Ed
+.Ss PaX MPROTECT
+.Em PaX MPROTECT
+implements memory protection restrictions,
+meant to complement non-executable mappings.
+The purpose is to prevent situations where malicious code attempts to mark
+writable memory regions as executable, often by trashing arguments to an
+.Xr mprotect 2
+call.
+.Pp
+While it can be enabled globally,
+.Nx
+provides a tool,
+.Xr paxctl 8 ,
+to enable
+.Em PaX MPROTECT
+on a per-program basis.
+.Pp
+Example usage:
+.Bd -literal -offset indent
+# paxctl +M /usr/sbin/sshd
+.Ed



Home | Main Index | Thread Index | Old Index