Re: Locally exploitable races? OpenBSD

[Dan Weeks <danimal@danimal.org>]

>>>>> "HS" == "Hannah Schroeter" <uk1o@rz.uni-karlsruhe.de>:
HS> 
HS> Hello!
HS> On Tue, Jun 05, 2001 at 11:49:28AM -0600, Todd C. Miller wrote:
HS>> What he's talking about is completely irrelevant because it requires
HS>> things use rfork() and nothing in the system does...
HS> 
HS>> Should the races get fixed?  Yes.
HS>> Is it a real problem?  Nope.
HS> 
HS> Huh? As long as non-root users can invoke rfork() and can thus crash
HS> (and possibly more) the machine by purpose, it IS a real problem IMHO.

This thing to remember here is that:
(1) Todd acknowledged it,
(2) he said they should be fixed (and I have no reason to doubt that they
    will, but I've yet to see a patch submitted from me or you or anyone
    else for that matter), 
(3) apparently nothing in the *default* install uses rfork(), thus it isn't
    as critical (but i would guess it is important in the long run as it
    relates to the goals of OpenBSD),
(4) there are many other things that users can do to bring a system down
    besides using rfork().

As far as I can tell no exploit of the default install has been published.
Complaining about this will only incite the same sorts of inaction and talk
that the IPF license issue brought....it just doesn't help.

-- 
dan weeks - codemonkey

"We're on the run from Johnny Law...
 ...this ain't no trip to Cleveland!" - Dignan