Latest articles in ‘Freebsd’

  1. BSDA certification review

    Published: Fri 22 September 2017 in Opinions.
    Updated: Tue 26 September 2017 (Add link to the BSDA Certification Study DVD)
    Facts, advices and personal impressions on the BSDA certification from the BSD Certification Group.

    The five Ws

    • What: The BSD Associate (BSDA) is a technical certification on BSD systems administration. It covers DragonFlyBSD, FreeBSD, NetBSD and OpenBSD.

      This certification covers general BSD systems administration (there is not much about system architecture itself), the specificities of each covered BAD flavors, common Unix services administration, and also a few non-technical points notably on the BSD license and its difference with other licensing types.

      I personally find the official naming misleading, as the requirement for this certification actually targets system administrators, not assistants.

    • When: The BSDA has no prerequisites, but is very technical and covers a wide range of domains so I would certainly not recommend it for the beginners.

      It can be seen as the BSD counter-part of the LPIC-2 Linux certification.

    • Why: BSD systems have a different approach than Linux ones on a lot of things, both technical and non-technical. Being Linux certified does …

  2. Isolate your services using jails and containers

    Published: Thu 10 August 2017 in Cookbook.
    Use FreeBSD jails and Linux LXC efficiently to make you server both more secure and easier to manage.

    Containers and jails allow you to make your system more secure, more reliable, more flexible and, at the end of the day, easier to manage. Once you get used to it, it become difficult to conceive to setup a server without such features.

    But what are they exactly?

    Containers and jails

    Containers and jails designate different implementations of operating-system-level virtualization. Like a lot of low-level security features we encounter in today’s world, this functionality can be traced back to the old mainframes, where reliability and parallelism are at the core of the system, and which allow to partition a host system into smaller isolated systems.

    This feature then went through commercial Unixes to finally reach open-source operating systems. The first open-source OS to really implement this feature was FreeBSD which offers its jail functionality since 2000 (FreeBSD 4.0). In the mean time there were several more-or-less successful attempts …

  3. FreeBSD jail SHM hole (CVE-2017-1087)

    Published: Wed 02 August 2017 in Cookbook.
    Updated: Thu 16 November 2017 (CVE assigned to this issue (finally, thanks Remko!))
    FreeBSD <=10.3 jails are not air-tight, vulnerability explanation and POC.

    In FreeBSD early days, shared memory (SHM) objects were associated to an actual file system object. Each jail having its own filesystem root, SHM object were therefore not reachable by other jails.

    FreeBSD 7.0 switched to a purely abstract representation of SHM objects. They are now just names, with no relation to the underlying filesystem.

    Due to this, any jail gained a read-write access to any SHM object system-wide, with no available workaround to prevent or limit this (this is not to be confused with IPCs which can be disabled on a per-jail basis, here there is strictly no way to prevent the issue).

    This issue has been published in the FreeBSD Security Advisory FreeBSD-SA-17:09 and CVE-2017-1087.


    fbsd-shm-hole.c is a small POC allowing to quickly test and demonstrate the issue.

    SHA-512 OpenPGP

    1. Compile and copy this tool in two different jails …

  4. Do randomized PIDs bring more security?

    Published: Sat 23 May 2015 in Opinions.
    The limits of randomness-based security and the position of the main free *nixes on the subject.

    The issue

    I read an article in the french magazine MISC (no. 74 - July/August, 2014) publishing a flaw affecting stunnel and libssh.

    To make things short, this flaw relies on the fact that a hello cookie created by the server is generated using the current Unix timestamp (so up to the second) and the PID of the process handling the request. The exploit sends a high number of connection attempts in order to force the server to generate duplicated cookies. At the end this attacks aims to deduce the server private keys.

    The author explains that such attack is not realizable on systems using traditionnal sequential PID because it would require more than 65000 connections attempts to made in less than one second.

    However, thanks to random PIDs used on some “hardened” systems the author demonstrates that, with 20 connection attempts per seconds, there is statistically more than one …

Popular tags see all