Re: kern.randompid sysctl value



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Jordi,

On 2010/02/02 03:09, Jordi Espasa Clofent wrote:
HI,

1. ¿What's the real value (in terms of security) of the random PIDs
feature?

According to this book

http://books.google.es/books?id=gqKwaHmXp4YC&pg=PA50&lpg=PA50&dq=random+pids+security&source=bl&ots=jimAeOQK2Q&sig=WrsBiMAxU-lUCM3pdCjtIYfmiIo&hl=es&ei=OwVoS4nwGMeOjAek5ZCvCQ&sa=X&oi=book_result&ct=result&resnum=9&ved=0CCsQ6AEwCA#v=onepage&q=random%20pids%20security&f=false


I understand that the random PIDs wil be a good security measure against
some exploits (books says "race conditions"). OpenBSD folks (focused on
security) have the random PIDs by defaul, so

¿why Freebsd don't use it by default?

Hmm... My personal impression is that random PID won't help much, and
management scripts may expect the PID won't be recycled too early, say,
on a busy server. If PIDs are allocated sequentially, we can expect
long time before one given PID will be used; with randomized allocation,
we can never tell since it is expensive to have kernel tell whether the
PID is being used, say, 1000 processes before.

2. ¿What will be a real secure value for sysctl parameter? I mean
'kern.randompid' isn't a boolean, but a large number which determines
the numeric range to generate de random PIDs. ¿1000, 10000, 100000?

It's a modules number. The kernel will adjust it for you if you specify
a too large number, e.g. 100k.

Thanks in advance for aclarations.

PD. I've real this old post
http://marc.info/?l=freebsd-security&m=99495048923300&w=2. Interesting.

I think Peter's reply still apply...

Cheers,
- --
Xin LI <delphij@xxxxxxxxxxx> http://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iQEcBAEBAgAGBQJLaHAZAAoJEATO+BI/yjfB9c4H/An0Zpxh6ZNaKO1RvYfC9dBb
zTKKND9TBvFIzgIrfI7bTjdoSoFeJumpDRJ9MBrHcc5bwEfFD7yC8FFmdJKVEAna
u6uvu3ZR1wsaPRy4AVFPTGWrclFA7mTdB2nehJwMbXLAWclpoydG6gm1oxFKAOYi
epw3bwnjMLzkKuax84LVKtawF/0jr4fn/w3YpqZudCOYdD1LCtiFm/o0h6yhP8SN
dYAEUQ8h6WpcJOsqgbTB1SK+3eoK/7upwheEt0TLkbp2XX+0I35O0mJrBvn+Fbzy
VEEpSj6qoqLv6Pa3zfjM4YTc4ldgmqheCzDH57dZ7juDrveF2lOwSXG5tXtjc4o=
=IMZA
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • kern.randompid sysctl value
    ... I understand that the random PIDs wil be a good security measure against some exploits. ... Fear is the mind-killer. ...
    (FreeBSD-Security)
  • Re: Why userland , basesystem and Kernel are together?!
    ... Every compiled application needs libc as a wrapper ... for system calls (which toggle all kinds of actions in the kernel). ... if FreeBSD is used as OS). ... The benefit of tracking one of the security branches and doing the full ...
    (freebsd-questions)
  • RE: FreeBSD Security Survey
    ... We're using portaudit for security flaw with the installed ports but I don't ... and kernel source tree against security advisories. ... Subject: FreeBSD Security Survey ... If you administrate systemrunning FreeBSD (in the broad sense of "are ...
    (FreeBSD-Security)
  • [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-06:02.net
    ... For general information regarding FreeBSD Errata Notices and Security ... FreeBSD 6.1 kernel. ... The following patch has been verified to apply to FreeBSD 6.1 systems. ...
    (freebsd-announce)
  • RE: FreeBSD Security Survey
    ... We're using portaudit for security flaw with the installed ports but I don't ... and kernel source tree against security advisories. ... Subject: FreeBSD Security Survey ... If you administrate systemrunning FreeBSD (in the broad sense of "are ...
    (freebsd-stable)