systrace removed? Why?

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

systrace removed? Why?

L.R. D.S.
Why?

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Luis Coronado-3
Why not? In a more serious way, read misc@ and tech@ particuarly in the
subject about pledge.

-luis

On Monday, 25 April 2016, <[hidden email]> wrote:

> Why?

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

L.R. D.S.
In reply to this post by L.R. D.S.
I know about the pledge(2) development, but systrace and pledge are not mutually exclusive. Pledge need to be used inline, where systrace can be used as a command line tool.
If you remove it, many scripts that use systrace for privilege reduction will broke.
Of course, you can put it on packages, but if you follow this logic, shouldn't other tools be also removed and be on packages? banner(1) for example, is kind useless. The cpan(1) pkg manager from perl also could be in packages. Same with sqlite3, I think. Or telnet, since almost no one uses it anymore. Etc.

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Michael McConville-3
[hidden email] wrote:
> I know about the pledge(2) development, but systrace and pledge are
> not mutually exclusive. Pledge need to be used inline, where systrace
> can be used as a command line tool.
>
> If you remove it, many scripts that use systrace for privilege
> reduction will broke.

I guess the question is: how many people actually use systrace in
scripts? Probably very very few.

> Of course, you can put it on packages, but if you follow this logic,
> shouldn't other tools be also removed and be on packages? banner(1)
> for example, is kind useless. The cpan(1) pkg manager from perl also
> could be in packages. Same with sqlite3, I think. Or telnet, since
> almost no one uses it anymore. Etc.

I'm pretty sure that you can't package systrace because it needs to be
supported by the kernel. I expect that that's part of the reason why it
was removed: axing it simplifies and quickens the kernel.

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Stuart Henderson
In reply to this post by L.R. D.S.
On 2016-04-26, [hidden email] <[hidden email]> wrote:
> Of course, you can put it on packages

Nope.

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Kevin Chadwick-4
In reply to this post by Michael McConville-3
> I guess the question is: how many people actually use systrace in
> scripts? Probably very very few.

I use it in scripts but will look to switching to pledge when I
have time, which I *should* be able to find in the next 6 months, haha.
It is however sometimes insightful as a quick and dirty debugging tool.

Unfortunately systrace overhead can be significant for monitoring
complex programs but it could potentially be useful as a part of a
(HIPS or system intrusion or malfunction detection for a secure
server). hmmm, assuming pledge doesn't kill the offending process first,
haha.

I guess pledging /bin/sh may throw up challenges too though I see many
pledges in csh? and so is systrace useful there?

--

KISSIS - Keep It Simple So It's Securable

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Theo de Raadt
> > I guess the question is: how many people actually use systrace in
> > scripts? Probably very very few.

From yesterday onwards, noone uses it.

> I use it in scripts but will look to switching to pledge when I
> have time, which I *should* be able to find in the next 6 months, haha.
> It is however sometimes insightful as a quick and dirty debugging tool.

If you stick to old code, sure.

> Unfortunately systrace overhead can be significant for monitoring
> complex programs but it could potentially be useful as a part of a
> (HIPS or system intrusion or malfunction detection for a secure
> server). hmmm, assuming pledge doesn't kill the offending process first,
> haha.

systrace and pledge did not work together.  So that's balony.

> I guess pledging /bin/sh may throw up challenges too though I see many
> pledges in csh?

sh is pledged.

> and so is systrace useful there?

systrace was removed, so how can it be useful?

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Kevin Chadwick-4
> > Unfortunately systrace overhead can be significant for monitoring
> > complex programs but it could potentially be useful as a part of a
> > (HIPS or system intrusion or malfunction detection for a secure
> > server). hmmm, assuming pledge doesn't kill the offending process first,
> > haha.  
>
> systrace and pledge did not work together.  So that's balony.

how do you mean? what happens on 5.9 when you use systrace with pledged
programs? Does cpu usage go through the roof by any chance? That would
explain why I have had to disable it to avoid waiting so long for
systraced desktop programs.

Thanks

--

KISSIS - Keep It Simple So It's Securable

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Kevin Chadwick-4
> how do you mean? what happens on 5.9 when you use systrace with pledged
> programs? Does cpu usage go through the roof by any chance? That would
> explain why I have had to disable it to avoid waiting so long for
> systraced desktop programs.

hmmm, actually I guess the claws-mail port may not be pledged yet but
cpu usage seemed to go through the roof on 5.9 anyways.

--

KISSIS - Keep It Simple So It's Securable

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Theo de Raadt-2
In reply to this post by L.R. D.S.
>> > Unfortunately systrace overhead can be significant for monitoring
>> > complex programs but it could potentially be useful as a part of a
>> > (HIPS or system intrusion or malfunction detection for a secure
>> > server). hmmm, assuming pledge doesn't kill the offending process first,
>> > haha.  
>>
>> systrace and pledge did not work together.  So that's balony.
>
>how do you mean? what happens on 5.9 when you use systrace with pledged
>programs? Does cpu usage go through the roof by any chance? That would
>explain why I have had to disable it to avoid waiting so long for
>systraced desktop programs.

it is not important.

systrace was effectively deprecated 4-10 years ago, when there stopped
being a maintainer for it, or the broken ecosystem surrounding.

That was a gap needed to consider a replacement model.

What do you want here?

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Theo de Raadt-2
In reply to this post by L.R. D.S.
>> how do you mean? what happens on 5.9 when you use systrace with pledged
>> programs? Does cpu usage go through the roof by any chance? That would
>> explain why I have had to disable it to avoid waiting so long for
>> systraced desktop programs.
>
>hmmm, actually I guess the claws-mail port may not be pledged yet but
>cpu usage seemed to go through the roof on 5.9 anyways.

So it is just some theory you invented, without any facts?

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Kevin Chadwick-4
In reply to this post by Theo de Raadt-2
> it is not important.
>
> systrace was effectively deprecated 4-10 years ago, when there stopped
> being a maintainer for it, or the broken ecosystem surrounding.
>
> That was a gap needed to consider a replacement model.
>
> What do you want here?

I guess nothing important.

I am happy with pledge (I love it) as a replacement. I was simply
wondering what the potential dangers are for my web server that utilises
systrace on 5.9 along with newly pledged base processes and a few port
processes, currently it appears to be working fine, perhaps it's
performance has sufferred but I haven't noticed. I guess it takes
hundreds of syscalls to notice and I will simply switch to pledge when
performance requirements demand my time which I hope will happen within
6 months ;) . I already had plans to move to a potentially custom
pledged c binary (if my use case can be more restricted) and a nicer
and lighter system anyway.

So thanks for the hard work.

--

KISSIS - Keep It Simple So It's Securable

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Marc Espie-2
In reply to this post by Kevin Chadwick-4
There were some significant issues with systrace over the years.

Race-conditiony things that make you go hum, oh shit is this thing
more dangerous than what it's actually potecting. Plus semantic bugs.
Like the time we had to hunt a really weird copy bug in the qt code until
we realized it was just systrace fucking up.

Good riddance.

Reply | Threaded
Open this post in threaded view
|

Re: systrace removed? Why?

Christian Weisgerber
On 2016-04-27, Marc Espie <[hidden email]> wrote:

> Race-conditiony things that make you go hum, oh shit is this thing
> more dangerous than what it's actually potecting. Plus semantic bugs.
> Like the time we had to hunt a really weird copy bug in the qt code until
> we realized it was just systrace fucking up.

Then there was the instance where a configure script would produce
a different result when run under systrace, causing a port to be
built differently.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

not exactly (Re: systrace removed? Why?)

Michal Bozon
In reply to this post by L.R. D.S.
> Why?

good(?) news: sysmerge is gone in 6.0
but not removed by 5.9 to 6.0 uprade process.

Reply | Threaded
Open this post in threaded view
|

Re: not exactly (Re: systrace removed? Why?)

Theo Buehler
On Sat, Sep 03, 2016 at 05:37:22PM +0000, Michal Bozon wrote:
> > Why?
>
> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.
>

I really have a hard time understanding what you're trying to point out.

Yes, systrace is gone, but it's an ordinary binary that does no harm,
feel free to remove it if it makes you feel better.

sysmerge isn't gone, but it is executed automatically if you use a
bsd.rd upgrade, hence it's only mentioned in the manual upgrade process.

Reply | Threaded
Open this post in threaded view
|

Re: not exactly (Re: systrace removed? Why?)

Michal Bozon
In reply to this post by Michal Bozon
> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.

s/sysmerge/systrace/

Reply | Threaded
Open this post in threaded view
|

Re: not exactly (Re: systrace removed? Why?)

Michal Bozon
In reply to this post by Theo Buehler
> > good(?) news: sysmerge is gone in 6.0
> > but not removed by 5.9 to 6.0 uprade process.
> >
>
> I really have a hard time understanding what you're trying to point out.
>
> Yes, systrace is gone, but it's an ordinary binary that does no harm,
> feel free to remove it if it makes you feel better.
>
> sysmerge isn't gone, but it is executed automatically if you use a
> bsd.rd upgrade, hence it's only mentioned in the manual upgrade process.

ok, never mind,
i have just spotted it when comparing fs trees of
freshly installed 6.0 and
freshly installed/upgraded 5.9/6.0

.. and made sure to report it immediately,
since the removal of systrace is advertised
as a security enhancement :)

Reply | Threaded
Open this post in threaded view
|

Re: not exactly (Re: systrace removed? Why?)

Edgar Pettijohn III-2
In reply to this post by Michal Bozon
Sent from my iPhone

On Sep 3, 2016, at 12:46 PM, Michal Bozon <[hidden email]> wrote:

>> good(?) news: sysmerge is gone in 6.0
>> but not removed by 5.9 to 6.0 uprade process.
>
> s/sysmerge/systrace/
>

pledge()

Reply | Threaded
Open this post in threaded view
|

Re: not exactly (Re: systrace removed? Why?)

Michal Bozon
In reply to this post by Michal Bozon
if someone's interested, here a list of fs differences
between 6.0 upgraded from 5.9, and 6.0 install, i found,
with some obvious differences like smtpd spool or sysmerge
backups removed (amd64/qemu):

http://pastebin.com/raw/VPkdbvxy (text/plain)

(not pasting because of long lines)

hth