Slashdot Mirror

← Back to Stories (view on slashdot.org)

NetBSD 2.0.2 Released

Posted by CowboyNeal on from the dreamcasts-rejoice dept.

jschauma writes "James Chacon of the NetBSD Release Engineering team has announced that update 2.0.2 of the NetBSD operating system is now available. NetBSD 2.0.2 is the second security/critical update of the NetBSD 2.0 release branch. This represents a selected subset of fixes deemed critical in nature for stability or security reasons. More details are available in the NetBSD 2.0.2 Release Announcement."

5 of 36 comments (clear)

  1. So, speaking of security, by hey! · · Score: 5, Interesting

    whatever happened to kernel privilege elevation, which was supposed to allow daemons in BSD to run as unprivileged accounts, but still do things like bind to certain low number IP ports? Supposedly, by making the ability to do certain privileged things fine grained, it reduced the impact of things like buffer overflows.

    Is this just part of the BSD landscape now? Did the idea pan out, and is BSD now relatively immune to a large class of security vulnerabilities?

    OT, I know, but I remember thinking that if this worked as well as it sounded, it was a good reason to move my Linux servers over to BSD.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:So, speaking of security, by hey! · · Score: 3, Interesting

      Yes, that's it.

      So, what's the consensus been about the experience with this. Has it proven to be a huge improvement in security?

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:So, speaking of security, by Anonymous Coward · · Score: 1, Interesting

      Most people wont do the whole system, but individual daemons are not too much work.

      I do this with my servers which run a modified postgresql, though I use OpenBSD.

    3. Re:So, speaking of security, by Homology · · Score: 4, Interesting
      Well, sure, but that doesn't to squat for security -- it just makes things more insecure. So now an unprivileged app can masquerade as a apache or imapd.

      You do not understand the issue : Too many daemons runs as root just beacuse they need to bind to a low port. So any exploit will be a remote root exploit. Besides, if you rely on port numbers for security on random machines, I guess you have some problems ;-)

    4. Re:So, speaking of security, by hey! · · Score: 1, Interesting

      No offense taken, I do understand the problem. It's just that the problem of security never boils down to one thing, does it.

      It isn't just about a daemon getting root privileges. That's really bad of course. But impersonating a trusted program is really bad to, just not quite as bad. When the trusted program can bind to the port, and only that program, it solves both aspects of that particular problem.

      Oh, there's lots more ways we can get in trouble, but every door that's closed and locked is a good thing.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.