Tor TransPort on OpenBSD?
Hannah Schroeter
hannah at pond.sub.org
Sun Aug 10 23:07:43 UTC 2008
Hi!
On Sun, Aug 10, 2008 at 05:55:59PM -0500, Scott Bennett wrote:
> Perhaps OpenBSD works differently in this regard, but in FreeBSD the
>above will only last until the next reboot because the /dev directory is
>cleared and repopulated during initialization according to the devices
>found during kernel autoconfiguration. To make such changes each time
>the system boots, IIRC, one must make the appropriate changes to
>/boot/device.hints (see device.hints(5)).
OpenBSD has classical MAKEDEV style handling of /dev. However,
non-standard protections might be clobbered when you upgrade.
A better fix would indeed be opening /dev/pf before dropping privileges.
And the gold standard would be separating /dev/pf operations out into a
separate process, that drops root anyway, but keeps the /dev/pf file
descriptor and offers only those /dev/pf operations to the main process
that are really needed instead of making *all* /dev/pf operations
available to the main process. (Privilege separation.)
Kind regards,
Hannah.
More information about the tor-talk
mailing list