From nobody Sun Nov 27 19:00:25 2022 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NKycM00SFz4jVxX for ; Sun, 27 Nov 2022 19:01:07 +0000 (UTC) (envelope-from olivier.freebsd@free.fr) Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4NKycL1cfDz4FBF for ; Sun, 27 Nov 2022 19:01:06 +0000 (UTC) (envelope-from olivier.freebsd@free.fr) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=free.fr header.s=smtp-20201208 header.b=KjYWwmhn; spf=pass (mx1.freebsd.org: domain of olivier.freebsd@free.fr designates 2a01:e0c:1:1599::15 as permitted sender) smtp.mailfrom=olivier.freebsd@free.fr; dmarc=pass (policy=none) header.from=free.fr Received: from ravel.localnet (unknown [109.210.33.132]) (Authenticated sender: olivier.freebsd@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id 0E8747802D6 for ; Sun, 27 Nov 2022 20:00:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1669575653; bh=Si/Rol5hhvo4rIHgymAOjWPS57bQbRMsbZWMEbxTz/I=; h=From:To:Subject:Date:In-Reply-To:References:From; b=KjYWwmhnTlJu8x60HKFdN3hJ2NehZkEQ5AIKAUwfCfea6USx0TvwsvDeKlDiQ+yfn x9nwZRJhABRv9nbp7c3CPBUfzPWtDHVqmuXlGfRc/jvOmyqeOtby8rw9hcMkv1qXOv C2RlqgHCxmYAyf8nXBY7KNMvVtqCSpvP+eJxOyTnDAPBGwHtw6MXUNjIGaS/aS22uA cBpTaJ9gLiEBa6d2quCdbfGkGOGh6cfyFUAoXwBSlX1nxf4rHrUVh4Po2VnrjL5B0E ywyj6FkJ09zEFep49+atI04IwrFuubMR3Fj24bJsLVXkEVrOxsYH+ZzIFY6iahxVyA 3V07WaarXiuxA== From: Olivier Certner To: questions@freebsd.org Subject: Re: What exactly is hostid used for? Date: Sun, 27 Nov 2022 20:00:25 +0100 Message-ID: <19877734.Z0uf88f6Bl@ravel> In-Reply-To: References: List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-2.00 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; MID_RHS_NOT_FQDN(0.50)[]; CTE_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[free.fr,none]; R_DKIM_ALLOW(-0.20)[free.fr:s=smtp-20201208]; R_SPF_ALLOW(-0.20)[+ip6:2a01:e0c:1:1599::15]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2a01:e0c:1:1599::15:from]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; DWL_DNSWL_NONE(0.00)[free.fr:dkim]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[free.fr:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[free.fr]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:12322, ipnet:2a01:e00::/26, country:FR]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[free.fr]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4NKycL1cfDz4FBF X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N For whatever reason, I never received grarpamp's mail. So copy-pasting his answer from online archives, and replying to Doug instead. > > But frankly, why would you ever bother with disabling it? Indeed, just after sending the mail I felt I had exaggerated a bit with this question. Especially because I had written this just before: > > Moreover, applications can access the hostid ('kern.hostid' or the longer > > 'kern.hostuuid') through sysctl(3) or gethosid(3), and do whatever they > > want with it. (There is a typo above, it is gethostid(3), of course.) So yes, this information is by default public and any application can obtain it. And worse, it is not possible to prevent anybody from obtaining it on the full host: Changing the permissions of '/etc/hostid' alone is useless, since 'sysctl kern.hostuuid' is not restricted, and currently cannot be without additional code. To avoid this particular leak, there are 3 easy ways: - Disable the host ID ('hostid_enable="NO"' in '/etc/rc.conf'). - Have a startup script that overwrites '/etc/hostid' at each boot. - Launch your application in a jail, which can have independently-set 'kern.hostid' and 'kern.hostuuid', with a start script that produces and sets a random value for them (through '/etc/hostid', or directly setting them with the latter disabled). The third is a bit more involved but preserves the ability to correctly set the ID on the full host. More generally, however, this leads me to FreeBSD's main information leakage: The sysctl MIB. It is not restricted in any way, at least for reading, and contains tremendous information about the running system, which surely is more than enough to identify uniquely a given machine and could as well help when trying to exploit the machine. This indeed should be fixed. In principle this is easy, but the devil is in the details (such as the (ab?)use of CTLFLAG_ANYBODY, and more generally in determining which information is needed and useful for unprivileged userland, effectively implying to tag the knobs that can be safely read by anybody, and perhaps removing a bunch of them in favor of other mechanisms). I may give it a shot at some point. > Because "apps (often aka anti-privacy tools)" and nic's and attacks > can read your unique and paste it into the internet, and do whatever > else with it. Yes, but if you use well-known open-source apps, risk is extremely low. On the other hand, for proprietary apps, sure there is a risk, but then you should at the very least jail them. > Would not be surprising if javascript browsers are reading such things. Doug's answer says the essential. I'm pretty sure browsers don't provide this information directly, but it might be retrievable in indirect ways. But given all the other easier fingerprinting vectors, a priori I doubt it is worth the hassle. > Nor would some environments want it embedded in say offsite backups of > zpools, etc. You're probably identifiable by what's in your backups, so if you're are serious about this, you have to encrypt them in whole, in which case the host ID cannot be read, so this is a non-issue. > If NFS ZFS HAST and other apps can't take a manually supplied app-specific > string to use instead of reading whatever happens (or not) to be in hostid, > or even continuing to work with just null, then that represents bugs in > privacy, validation testing, and debugging capability that need be fixed. They all work without host ID as well. Albeit with a minor complication for ZFS, as mentioned in my previous mail. Don't know what would happen in the case of creating a zpool with no hostid. I'd guess that 0 is used, but I'm not sure if this disables the import check. For the network interfaces mentioned, a MAC address is generated randomly instead of derived from the host ID. For NFSv4, I don't think you have much other choice than running the client in a jail, where you can set a specific host ID. Sure, there could be a mount option. If we come up with enough use cases, it may appear that a more generic mechanism is needed to allow selective overriding and restriction of a lot of sysctl knobs. In the meantime, for the host ID and some selected others, we have jails. -- Olivier Certner