Re: disabling SA in 5.0

[christos%zoulas.com@localhost (Christos Zoulas)]

On Mar 8,  3:53pm, ad%netbsd.org@localhost (Andrew Doran) wrote:
-- Subject: Re: disabling SA in 5.0

| > I understand and I know that SA under 4.0 was susceptible to the
| > same kinds of crashes. I don't have any vested interest in preserving
| > SA.  I just care about the user experience during the upgrade from
| > 4.0 to 5.0, 
| 
| You are clouding the discussion. SA is for corner cases, like the one that
| you mention above, where a partial upgrade is being done by hand. If you are
| doing something by hand, surely you can also change a configuration file.

This is not a corner case, because many production environments prefer
to upgrade by running new-kernel+old-userland for a while before committing
to upgrade userland. On the other hand, yes, they could edit a config file
to achieve that.

| > and providing a stable (one that one cannot easily
| > crash via a local DoS) environment. These goals are often conflicting,
| > but we could do something like print a warning at boot time when
| > SA is enabled and keep it enabled in the INSTALL kernels and not
| > in GENERIC for example.
| 
| There we disagree. I believe that the base product as shipped should not be
| vulnerable to this type of attack.
| 
| > In my opinion having SA turned on, is no
| > worse than having the unix domain file descriptor passing turned
| > on; they can both be exploited to crash the kernel.
| 
| I have spent today and yesterday working on the descriptor issue that you
| mention and on another security vulnerability. I have no interest in fixing
| SA and refuse to be guilt-tripped about it because I already fixed it, by
| replacing it.

I don't want you to fix SA, and I appreciate that you are fixing the other
security vulnerabilities.

christos