Changeset View
Standalone View
share/man/man7/security.7
.\" Copyright (C) 1998 Matthew Dillon. All rights reserved. | .\" Copyright (C) 1998 Matthew Dillon. All rights reserved. | ||||
.\" Copyright (c) 2019 The FreeBSD Foundation, Inc. | |||||
.\" | .\" | ||||
.\" Parts of this documentation were written by | |||||
emaste: Parts of this documentation //were// written | |||||
.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship | |||||
.\" from the FreeBSD Foundation. | |||||
.\" | |||||
.\" Redistribution and use in source and binary forms, with or without | .\" Redistribution and use in source and binary forms, with or without | ||||
.\" modification, are permitted provided that the following conditions | .\" modification, are permitted provided that the following conditions | ||||
.\" are met: | .\" are met: | ||||
.\" 1. Redistributions of source code must retain the above copyright | .\" 1. Redistributions of source code must retain the above copyright | ||||
.\" notice, this list of conditions and the following disclaimer. | .\" notice, this list of conditions and the following disclaimer. | ||||
.\" 2. Redistributions in binary form must reproduce the above copyright | .\" 2. Redistributions in binary form must reproduce the above copyright | ||||
.\" notice, this list of conditions and the following disclaimer in the | .\" notice, this list of conditions and the following disclaimer in the | ||||
.\" documentation and/or other materials provided with the distribution. | .\" documentation and/or other materials provided with the distribution. | ||||
.\" | .\" | ||||
.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND | .\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE | .\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE | ||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd December 25, 2013 | .Dd July 27, 2019 | ||||
.Dt SECURITY 7 | .Dt SECURITY 7 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm security | .Nm security | ||||
.Nd introduction to security under FreeBSD | .Nd introduction to security under FreeBSD | ||||
.Sh DESCRIPTION | .Sh DESCRIPTION | ||||
Security is a function that begins and ends with the system administrator. | Security is a function that begins and ends with the system administrator. | ||||
While all | While all | ||||
▲ Show 20 Lines • Show All 901 Lines • ▼ Show 20 Lines | |||||
that Kerberos is unsuited to). | that Kerberos is unsuited to). | ||||
We also recommend that you either turn off | We also recommend that you either turn off | ||||
key-forwarding in the SSH configuration, or that you make use of the | key-forwarding in the SSH configuration, or that you make use of the | ||||
.Va from Ns = Ns Ar IP/DOMAIN | .Va from Ns = Ns Ar IP/DOMAIN | ||||
option that SSH allows in its | option that SSH allows in its | ||||
.Pa authorized_keys | .Pa authorized_keys | ||||
file to make the key only usable to entities logging in from specific | file to make the key only usable to entities logging in from specific | ||||
machines. | machines. | ||||
.Sh KNOBS AND TWEAKS | |||||
.Fx | |||||
Done Inline ActionsMaybe .Fx provides? emaste: Maybe `.Fx provides`? | |||||
provides several knobs and tweak handles that make some introspection | |||||
information access more restricted. | |||||
Some people consider this as improving system security, so the knobs are | |||||
briefly listed there, together with controls which enable some mitigations | |||||
of the hardware state leaks. | |||||
.Bl -tag -width security.bsd.unprivileged_proc_debug | |||||
.It Dv security.bsd.see_other_uids | |||||
Done Inline Actionsof <remove the> processes owned by a different uid emaste: of //<remove the>// processes owned by //a// different uid | |||||
Controls visibility of processes owned by different uid. | |||||
The knob directly affects the | |||||
.Dv kern.proc | |||||
sysctls filtering of data, which results in restricted output from | |||||
bjkUnsubmitted Not Done Inline Actions"sysctl's" is a possessive here; since there's only one sysctl in question the apostrophe should go before the final 's'. bjk: "sysctl's" is a possessive here; since there's only one sysctl in question the apostrophe… | |||||
kibAuthorUnsubmitted Done Inline ActionsNo, kern.proc is the node under which real sysctls are located, like kern.proc.all etc. kib: No, kern.proc is the node under which real sysctls are located, like kern.proc.all etc. | |||||
utilities like | |||||
.Xr ps 1 . | |||||
.It Dv security.bsd.see_other_gids | |||||
Same, for processes owned by different gid. | |||||
.It Dv security.bsd.see_jail_proc | |||||
Same, for processes belonging to a jail. | |||||
.It Dv security.bsd.conservative_signals | |||||
When enabled, only allows to send job control and usual termination signals | |||||
bjkUnsubmitted Done Inline ActionsMaybe "only allows unprivileged users to send"? bjk: Maybe "only allows unprivileged users to send"? | |||||
kibAuthorUnsubmitted Done Inline ActionsIt sounds strange that way, for me at least. I reformulated it differently. kib: It sounds strange that way, for me at least. I reformulated it differently. | |||||
like | |||||
.Dv SIGKILL , | |||||
.Dv SIGINT , | |||||
and | |||||
.Dv SIGTERM , | |||||
to the processes executing programs with changed uids. | |||||
.It Dv security.bsd.unprivileged_proc_debug | |||||
Controls availability of the process debugging facilities to non-root users. | |||||
See also | |||||
.Xr proccontrol 1 | |||||
mode | |||||
.Dv trace . | |||||
.It Dv vm.pmap.pti | |||||
Tunable, amd64-only. | |||||
Enables mode of operation of virtual memory system where usermode page | |||||
tables are sanitized to prevent so called Meltdown information leak on | |||||
bjkUnsubmitted Done Inline Actions"so-called" is hyphenated. bjk: "so-called" is hyphenated.
I'd consider wrapping Meltdown in .Dq as well, but that's less clear. | |||||
some Intel CPUs. | |||||
By default system detects that CPU needs the workaround, and enables it | |||||
bjkUnsubmitted Done Inline Actions"By default, the system detects whether the CPU needs the workaround". bjk: "By default, the system detects whether the CPU needs the workaround". | |||||
automatically. | |||||
See also | |||||
.Xr proccontrol 1 | |||||
mode | |||||
.Dv kpti . | |||||
.It Dv hw.mds_disable | |||||
amd64 and i386. | |||||
Controls Microarchitectural Data Sampling hardware information leak | |||||
mitigation. | |||||
.It Dv hw.spec_store_bypass_disable | |||||
amd64 and i386. | |||||
Controls Speculative Store Bypass hardware information leak mitigation. | |||||
.It Dv hw.ibrs_disable | |||||
amd64 and i386. | |||||
Controls Indirect Branch Restricted Speculation hardware information leak | |||||
bjkUnsubmitted Done Inline Actionsspurious space here. bjk: spurious space here. | |||||
mitigation. | |||||
.It Dv machdep.syscall_ret_l1d_flush | |||||
amd64. | |||||
Controls force-flush of L1D cache on return from syscalls which report | |||||
the errors different from | |||||
bjkUnsubmitted Done Inline ActionsMaybe, "which report errors other than" bjk: Maybe, "which report errors other than" | |||||
.Ev EEXIST , | |||||
.Ev EAGAIN , | |||||
.Ev EXDEV , | |||||
.Ev ENOENT , | |||||
.Ev ENOTCONN , | |||||
and | |||||
.Ev EINPROGRESS . | |||||
This is mostly a paranoid setting added to prevent hypothetical exploitation | |||||
of unknown gadgets for unknown hardware issues. | |||||
The error codes exclusion list is composed of the most common errors which | |||||
typically occurs on normal system operation. | |||||
.It Dv machdep.nmi_flush_l1d_sw | |||||
amd64. | |||||
Controls force-flush of L1D cache on NMI, | |||||
provides software assist for bhyve mitigation of L1 terminal fault | |||||
bjkUnsubmitted Done Inline ActionsI think the grammar is better as "on NMI; this provides" bjk: I think the grammar is better as "on NMI; this provides" | |||||
hardware information leak. | |||||
.It Dv hw.vmm.vmx.l1d_flush | |||||
amd64. | |||||
Controls the mitigation of L1 Terminal Fault in bhyve hypervisor. | |||||
.It Dv kern.elf32.aslr.enable | |||||
Controls system-global Address Space Layour Randomization (ASLR) for | |||||
normal non-PIE (Position Independent Executable) 32bit binaries. | |||||
See also | |||||
.Xr proccontrol 1 | |||||
mode | |||||
.Dv aslr , | |||||
also affected by the per-image control note flag. | |||||
.It Dv kern.elf32.aslr.pie_enable | |||||
Done Inline Actionss/Layour/Layout juan.molina_club.fr: s/Layour/Layout | |||||
Controls system-global Address Space Layout Randomization for | |||||
position-independent (PIE) 32bit binaries. | |||||
.It Dv kern.elf32.aslr.honor_sbrk | |||||
Makes ASLR less aggressive and more compatible with old binaries | |||||
relying on the sbrk area. | |||||
.It Dv kern.elf32.aslr.aslr_stack_gap | |||||
If ASLR is enabled for a binary, non-zero value creates a randomized | |||||
bjkUnsubmitted Done Inline Actions"a non-zero value" bjk: "a non-zero value" | |||||
stack gap between strings and end of aux vector. | |||||
Done Inline Actionss/32/64 val_packett.cool: s/32/64 | |||||
Done Inline ActionsAnd we should probably write "Position Independent Executable (PIE)" emaste: And we should probably write "Position Independent Executable (PIE)"
(Correct pluralization is… | |||||
bjkUnsubmitted Done Inline Actions"the end of the aux vector" bjk: "the end of the aux vector" | |||||
The value is the maximum percentage of main stack to waste on the gap. | |||||
Cannot be greater than 50, i.e. at most half of the stack. | |||||
bjkUnsubmitted Done Inline Actionscomma both before and after "i.e.". bjk: comma both before and after "i.e.". | |||||
.It Dv kern.elf64.aslr.enable | |||||
64bit binaries ASLR control. | |||||
.It Dv kern.elf64.aslr.pie_enable | |||||
64bit PIE binaries ASLR control. | |||||
.It Dv kern.elf64.aslr.honor_sbrk | |||||
64bit binaries ASLR sbrk compatibility control. | |||||
.It Dv kern.elf32.aslr.aslr_stack_gap | |||||
Controls stack gap for 64bit binaries. | |||||
.It Dv kern.elf32.nxstack | |||||
Enables non-executable stack for 32bit processes. | |||||
Enabled by default if supported by hardware and corresponding binary. | |||||
.It Dv kern.elf64.nxstack | |||||
Enables non-executable stack for 64bit processes. | |||||
.El | |||||
.Sh SEE ALSO | .Sh SEE ALSO | ||||
.Xr chflags 1 , | .Xr chflags 1 , | ||||
.Xr find 1 , | .Xr find 1 , | ||||
.Xr md5 1 , | .Xr md5 1 , | ||||
.Xr netstat 1 , | .Xr netstat 1 , | ||||
.Xr openssl 1 , | .Xr openssl 1 , | ||||
.Xr proccontrol 1 , | |||||
.Xr ps 1 , | |||||
.Xr ssh 1 , | .Xr ssh 1 , | ||||
.Xr xdm 1 Pq Pa ports/x11/xorg-clients , | .Xr xdm 1 Pq Pa ports/x11/xorg-clients , | ||||
.Xr group 5 , | .Xr group 5 , | ||||
.Xr ttys 5 , | .Xr ttys 5 , | ||||
.Xr accton 8 , | .Xr accton 8 , | ||||
.Xr init 8 , | .Xr init 8 , | ||||
.Xr sshd 8 , | .Xr sshd 8 , | ||||
.Xr sysctl 8 , | .Xr sysctl 8 , | ||||
Show All 11 Lines |
Parts of this documentation were written