BSD: DragonFly, OpenBSD, and More
-
eMMC support & concerns
Just as a side note, it is totally possible to mount root read-only and then use tmpfs/copied mounts for the directories that the system needs to write to. Example included below (this is what our release image uses). Basically you specify a read-only root mount in /etc/fstab and then a bunch of rw tmpfs mounts using the -C option, which causes tmpfs to copy the underlying read-only filesystem onto the rw tmpfs filesystem.
-
Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD
As implied by the article's title, Florian's writing covers a wide range of exploit mitigation efforts within OpenBSD. Early examples such as previous attempts at privilege dropping in ping(8) are explored from 26 years ago. Progressing towards the present, Florian moves onto reflections involving systrace(4) which was shown to the world by Niels Provos at CanSecWest in 2002. However, as Florian describes some of systrace's shortcomings, readers are provided with insights into the eventual motivation behind pledge(2) having resulted from code previously evolved out of tame(2) and now more widely available and deployed in OpenBSD in complement to unveil(2). Florian continues writing about privilege separation in dhcpleased(8) though makes passing mention that similar techniques were used in slaacd(8) and unwind(8). This editor will note: some of that sort of defense in depth design seems as if it may have been inspired by prior art in MTAs such as djb's qmail or Wieste Venema's Postfix?
-
Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD
My main focus in OpenBSD are privilege separated network daemons running in restricted-service operation mode. I gave talks at BSDCan and FOSDEM in the past about how I used these techniques to write slaacd(8) and unwind(8). While I do not think of myself as a one-trick pony, I have written some more: slowcgi(8), rad(8), dhcpleased(8), and gelatod(8). I also wrote the first version of what later turned into resolvd(8).
At one point I claimed that it would take me about a week to transmogrify one daemon into a new one.