NetBSD Problem Report #35004
From www@NetBSD.org Tue Nov 7 03:05:50 2006
Return-Path: <www@NetBSD.org>
Received: by narn.NetBSD.org (Postfix, from userid 31301)
id 82A6563B8CA; Tue, 7 Nov 2006 03:05:50 +0000 (UTC)
Message-Id: <20061107030550.82A6563B8CA@narn.NetBSD.org>
Date: Tue, 7 Nov 2006 03:05:50 +0000 (UTC)
From: blair.sadewitz@gmail.com
Reply-To: blair.sadewitz@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Could an MI aperture driver be added to the web site's list of contrib projects?
X-Send-Pr-Version: www-1.0
>Number: 35004
>Category: kern
>Synopsis: Could an MI aperture driver be added to the web site's list of contrib projects?
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Nov 07 03:10:01 +0000 2006
>Last-Modified: Mon Jul 16 17:56:32 +0000 2007
>Originator: Blair Sadewitz
>Release: amd64 -current (4.99.3)
>Organization:
>Environment:
NetBSD woody 4.99.3 NetBSD 4.99.3 (WOODY) #1: Sun Nov 5 16:04:04 EST 2006 blair@woody:/u/src/sys/arch/amd64/compile/WOODY amd64
>Description:
OpenBSD has a kernelized aperture to avoid having to run a suid X
server on i386, amd64, cats, and other ports. While I am undoubtedly
not qualified to write this (or port OpenBSD's driver, whichever
is easier), perhaps someone else out there would like to take this
up. While I realize that an apeture driver does not eliminate all
security problems, it sure would be nice to be able to run securelevel
1 and X simultaneously. Thus, I propose that this be mentioned in
www/contrib/projects.html.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: Pavel Cahyna <pavel@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/35004: Could an MI aperture driver be added to the web site's list of contrib projects?
Date: Sat, 2 Dec 2006 00:57:47 +0100
On Tue, Nov 07, 2006 at 03:10:01AM +0000, blair.sadewitz@gmail.com wrote:
> OpenBSD has a kernelized aperture to avoid having to run a suid X server
> on i386, amd64, cats, and other ports. While I am undoubtedly not
> qualified to write this (or port OpenBSD's driver, whichever is easier),
> perhaps someone else out there would like to take this up. While I
> realize that an apeture driver does not eliminate all security problems,
> it sure would be nice to be able to run securelevel 1 and X
> simultaneously. Thus, I propose that this be mentioned in
> www/contrib/projects.html.
There is an aperture driver, see
http://www.netbsd.org/Ports/i386/faq.html#x_needs_insecure_kernel
The fact that it is not in the base system is not an accident.
See
http://mail-index.netbsd.org/tech-kern/2006/11/09/0002.html
And I suspect that a recent change to disable access to I/O ports if
securelevel >= 1 broke X in securelevel 1 anyway.
I propose to close this PR.
From: "Blair Sadewitz" <blair.sadewitz@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/35004: Could an MI aperture driver be added to the web site's list of contrib projects?
Date: Sat, 2 Dec 2006 14:39:55 -0500
------=_Part_15097_3408799.1165088395195
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
If X does not work with the aperture driver at securelevel 1, then yes,
close the PR.
If it does, then I think it could be a good idea to do what OpenBSD does;
yes, there is
still vulnerability, but it does help.
Of course, framebuffer drivers in the kernel are preferable, but I'm not
counting on that ... ;)
------=_Part_15097_3408799.1165088395195
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<br>If X does not work with the aperture driver at securelevel 1, then yes, close the PR.<br>If it does, then I think it could be a good idea to do what OpenBSD does; yes, there is <br>still vulnerability, but it does help.
<br><br>Of course, framebuffer drivers in the kernel are preferable, but I'm not counting on that ... ;)<br>
------=_Part_15097_3408799.1165088395195--
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.