Bug#740509: On netstat being setgid kmem
At 20:10, Petr Salinger wrote:
> It used to be since:
>
> freebsd-utils (8.2+ds2-10) unstable; urgency=low
>
> * Set SGID and group kmem on netstat. (Closes: #643840)
>
> And it is still sgid in Debian's stable version.
> May be it is not needed anymore, I didn't recheck this.
Okay, I found a lot of odd things:
* in the latest freebsd-net-tools (10.1~svn272167-1) it is actually
setgid kmem!
* on a 10.1 kernel, it seems fine with kmem, and fine without it
(it just shows a "kvm not available" warning)
* in a sid schroot on 9.0 kernel like on the buildds - not sure yet
* on a 9.0 kernel, without kmem, it shows listening sockets but
does not show the word LISTEN in the state column - I think that's
the real cause of #761418 (a package's testsuite greps netstat -an
output for that word)
* on a 9.0 kernel, without kmem, it segfaults - I think that's related
to #740509 - there were changes to the struct returned by
NET_RT_IFLIST sysctl and it also broke ifconfig
I'm paranoid about netstat being setgid kmem in Debian, because we have
a high risk of kernel/userland ABI mismatch - like the bugs above. In
this case it caused a segfault, but we could have had a situation with
kernel bytes leaked into userland.
The sysctl mode now seems able to do everything we need, but we'd need
to fix the two bugs mentioned above, and mute the "kvm not available"
warning.
(Actually, those are kfreebsd's *only* RC bugs right now [affecting
jessie+sid, not marked patch/pending].)
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: