Page MenuHomeFreeBSD
Differential D21087 Diff 60338 share/man/man7/security.7

Changeset View

Standalone View

View Options

share/man/man7/security.7

.\" Copyright (C) 1998 Matthew Dillon. All rights reserved. .\" Copyright (C) 1998 Matthew Dillon. All rights reserved.
.\" Copyright (c) 2019 The FreeBSD Foundation, Inc.
.\" .\"
.\" Parts of this documentation were written by
emasteUnsubmitted
Done
Inline Actions

Parts of this documentation were written

emaste: Parts of this documentation //were// written
.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship
.\" from the FreeBSD Foundation.
.\"
.\" Redistribution and use in source and binary forms, with or without .\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions .\" modification, are permitted provided that the following conditions
.\" are met: .\" are met:
.\" 1. Redistributions of source code must retain the above copyright .\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer. .\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright .\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the .\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution. .\" documentation and/or other materials provided with the distribution.
.\" .\"
.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE .\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd December 25, 2013 .Dd July 27, 2019
.Dt SECURITY 7 .Dt SECURITY 7
.Os .Os
.Sh NAME .Sh NAME
.Nm security .Nm security
.Nd introduction to security under FreeBSD .Nd introduction to security under FreeBSD
.Sh DESCRIPTION .Sh DESCRIPTION
Security is a function that begins and ends with the system administrator. Security is a function that begins and ends with the system administrator.
While all While all
▲ Show 20 LinesShow All 901 Lines▼ Show 20 Lines
that Kerberos is unsuited to). that Kerberos is unsuited to).
We also recommend that you either turn off We also recommend that you either turn off
key-forwarding in the SSH configuration, or that you make use of the key-forwarding in the SSH configuration, or that you make use of the
.Va from Ns = Ns Ar IP/DOMAIN .Va from Ns = Ns Ar IP/DOMAIN
option that SSH allows in its option that SSH allows in its
.Pa authorized_keys .Pa authorized_keys
file to make the key only usable to entities logging in from specific file to make the key only usable to entities logging in from specific
machines. machines.
.Sh KNOBS AND TWEAKS
.Fx
emasteUnsubmitted
Done
Inline Actions

Maybe .Fx provides?

emaste: Maybe `.Fx provides`?
provides several knobs and tweak handles that make some introspection
information access more restricted.
Some people consider this as improving system security, so the knobs are
briefly listed there, together with controls which enable some mitigations
of the hardware state leaks.
.Bl -tag -width security.bsd.unprivileged_proc_debug
.It Dv security.bsd.see_other_uids
emasteUnsubmitted
Done
Inline Actions

of <remove the> processes owned by a different uid

emaste: of //<remove the>// processes owned by //a// different uid
Controls visibility of processes owned by different uid.
The knob directly affects the
.Dv kern.proc
sysctls filtering of data, which results in restricted output from
bjkUnsubmitted
Not Done
Inline Actions

"sysctl's" is a possessive here; since there's only one sysctl in question the apostrophe should go before the final 's'.

bjk: "sysctl's" is a possessive here; since there's only one sysctl in question the apostrophe…
kibAuthorUnsubmitted
Done
Inline Actions

No, kern.proc is the node under which real sysctls are located, like kern.proc.all etc.

kib: No, kern.proc is the node under which real sysctls are located, like kern.proc.all etc.
utilities like
.Xr ps 1 .
.It Dv security.bsd.see_other_gids
Same, for processes owned by different gid.
.It Dv security.bsd.see_jail_proc
Same, for processes belonging to a jail.
.It Dv security.bsd.conservative_signals
When enabled, only allows to send job control and usual termination signals
bjkUnsubmitted
Done
Inline Actions

Maybe "only allows unprivileged users to send"?

bjk: Maybe "only allows unprivileged users to send"?
kibAuthorUnsubmitted
Done
Inline Actions

It sounds strange that way, for me at least. I reformulated it differently.

kib: It sounds strange that way, for me at least. I reformulated it differently.
like
.Dv SIGKILL ,
.Dv SIGINT ,
and
.Dv SIGTERM ,
to the processes executing programs with changed uids.
.It Dv security.bsd.unprivileged_proc_debug
Controls availability of the process debugging facilities to non-root users.
See also
.Xr proccontrol 1
mode
.Dv trace .
.It Dv vm.pmap.pti
Tunable, amd64-only.
Enables mode of operation of virtual memory system where usermode page
tables are sanitized to prevent so called Meltdown information leak on
bjkUnsubmitted
Done
Inline Actions

"so-called" is hyphenated.
I'd consider wrapping Meltdown in .Dq as well, but that's less clear.

bjk: "so-called" is hyphenated. I'd consider wrapping Meltdown in .Dq as well, but that's less clear.
some Intel CPUs.
By default system detects that CPU needs the workaround, and enables it
bjkUnsubmitted
Done
Inline Actions

"By default, the system detects whether the CPU needs the workaround".

bjk: "By default, the system detects whether the CPU needs the workaround".
automatically.
See also
.Xr proccontrol 1
mode
.Dv kpti .
.It Dv hw.mds_disable
amd64 and i386.
Controls Microarchitectural Data Sampling hardware information leak
mitigation.
.It Dv hw.spec_store_bypass_disable
amd64 and i386.
Controls Speculative Store Bypass hardware information leak mitigation.
.It Dv hw.ibrs_disable
amd64 and i386.
Controls Indirect Branch Restricted Speculation hardware information leak
bjkUnsubmitted
Done
Inline Actions

spurious space here.

bjk: spurious space here.
mitigation.
.It Dv machdep.syscall_ret_l1d_flush
amd64.
Controls force-flush of L1D cache on return from syscalls which report
the errors different from
bjkUnsubmitted
Done
Inline Actions

Maybe, "which report errors other than"

bjk: Maybe, "which report errors other than"
.Ev EEXIST ,
.Ev EAGAIN ,
.Ev EXDEV ,
.Ev ENOENT ,
.Ev ENOTCONN ,
and
.Ev EINPROGRESS .
This is mostly a paranoid setting added to prevent hypothetical exploitation
of unknown gadgets for unknown hardware issues.
The error codes exclusion list is composed of the most common errors which
typically occurs on normal system operation.
.It Dv machdep.nmi_flush_l1d_sw
amd64.
Controls force-flush of L1D cache on NMI,
provides software assist for bhyve mitigation of L1 terminal fault
bjkUnsubmitted
Done
Inline Actions

I think the grammar is better as "on NMI; this provides"

bjk: I think the grammar is better as "on NMI; this provides"
hardware information leak.
.It Dv hw.vmm.vmx.l1d_flush
amd64.
Controls the mitigation of L1 Terminal Fault in bhyve hypervisor.
.It Dv kern.elf32.aslr.enable
Controls system-global Address Space Layour Randomization (ASLR) for
normal non-PIE (Position Independent Executable) 32bit binaries.
See also
.Xr proccontrol 1
mode
.Dv aslr ,
also affected by the per-image control note flag.
.It Dv kern.elf32.aslr.pie_enable
juan.molina_club.frUnsubmitted
Done
Inline Actions

s/Layour/Layout

juan.molina_club.fr: s/Layour/Layout
Controls system-global Address Space Layout Randomization for
position-independent (PIE) 32bit binaries.
.It Dv kern.elf32.aslr.honor_sbrk
Makes ASLR less aggressive and more compatible with old binaries
relying on the sbrk area.
.It Dv kern.elf32.aslr.aslr_stack_gap
If ASLR is enabled for a binary, non-zero value creates a randomized
bjkUnsubmitted
Done
Inline Actions

"a non-zero value"

bjk: "a non-zero value"
stack gap between strings and end of aux vector.
val_packett.coolUnsubmitted
Done
Inline Actions

s/32/64

val_packett.cool: s/32/64
emasteUnsubmitted
Done
Inline Actions

And we should probably write "Position Independent Executable (PIE)"
(Correct pluralization is left as an exercise)

emaste: And we should probably write "Position Independent Executable (PIE)" (Correct pluralization is…
bjkUnsubmitted
Done
Inline Actions

"the end of the aux vector"

bjk: "the end of the aux vector"
The value is the maximum percentage of main stack to waste on the gap.
Cannot be greater than 50, i.e. at most half of the stack.
bjkUnsubmitted
Done
Inline Actions

comma both before and after "i.e.".

bjk: comma both before and after "i.e.".
.It Dv kern.elf64.aslr.enable
64bit binaries ASLR control.
.It Dv kern.elf64.aslr.pie_enable
64bit PIE binaries ASLR control.
.It Dv kern.elf64.aslr.honor_sbrk
64bit binaries ASLR sbrk compatibility control.
.It Dv kern.elf32.aslr.aslr_stack_gap
Controls stack gap for 64bit binaries.
.It Dv kern.elf32.nxstack
Enables non-executable stack for 32bit processes.
Enabled by default if supported by hardware and corresponding binary.
.It Dv kern.elf64.nxstack
Enables non-executable stack for 64bit processes.
.El
.Sh SEE ALSO .Sh SEE ALSO
.Xr chflags 1 , .Xr chflags 1 ,
.Xr find 1 , .Xr find 1 ,
.Xr md5 1 , .Xr md5 1 ,
.Xr netstat 1 , .Xr netstat 1 ,
.Xr openssl 1 , .Xr openssl 1 ,
.Xr proccontrol 1 ,
.Xr ps 1 ,
.Xr ssh 1 , .Xr ssh 1 ,
.Xr xdm 1 Pq Pa ports/x11/xorg-clients , .Xr xdm 1 Pq Pa ports/x11/xorg-clients ,
.Xr group 5 , .Xr group 5 ,
.Xr ttys 5 , .Xr ttys 5 ,
.Xr accton 8 , .Xr accton 8 ,
.Xr init 8 , .Xr init 8 ,
.Xr sshd 8 , .Xr sshd 8 ,
.Xr sysctl 8 , .Xr sysctl 8 ,
Show All 11 Lines