I would like to educate people of something which many are not aware
of -- how X works on a modern machine.
Some of our architectures use a tricky and horrid thing to allow X to
run. This is due to modern PC video card architecture containing a
large quantity of PURE EVIL. To get around this evil the X developers
have done some rather expedient things, such as directly accessing the
cards via IO registers, directly from userland. It is hard to see how
they could have done other -- that is how much evil the cards contain.
Most operating systems make accessing these cards trivially easy for X
to do this, but OpenBSD creates a small security barrier through the
use of an "aperture driver", called xf86(4)
http://www.openbsd.org/cgi-bin/man.cgi?query=xf86
This device exists on i386, amd64, alpha, cats, macppc, and sparc64.
(Other architectures do not need such a thing, since they have less evil).
So let's say X wants to use the "aperture". Permission to use it is
controlled by the following sysctl(8) variable:
# sysctl -a machdep.allowaperture
machdep.allowaperture=0
The three possible values are 0 (aperture disabled), 1 (small window
for very old video cards), or 2 (large window for modern video cards
which have more evil in them). If you are running X on one of the
architectures listed above, you will have it set to 1 or 2.
The aperture setting cannot be changed once the system has booted
multiuser because the system securelevel locks it. The initial
setting of this variable however comes from a line in /etc/sysctl.conf.
You will find a line like this (ie. 2, for a fancy video card):
machdep.allowaperture=2 # See xf86(4)
If you had a machine that was not running X you might see either of
the following (# is a comment character, so that is why these are the
same).
#machdep.allowaperture=2 # See xf86(4)
machdep.allowaperture=0 # See xf86(4)
The kernel default is 0.... but for a few releases the OpenBSD install
script has had the question:
Do you expect to run the X Window System? [yes]
And if you answered "yes" (or just hit return), /etc/sysctl.conf was
changed, so that the setting became "2".
Well, recently we have changed our minds, because we still feel that
the aperture is too dangerous. And the vendors keep finding creative
ways to squeeze more and more evil into their video cards!
Please be aware that other operating systems don't even have an
aperture device, because they simply let root processes talk to the
video cards (via /dev/mem). Their X servers also run entirely as
root, while ours is now privilege seperated and running jailed as user
_x11. Even so, our privilege seperated X server is talking directly
to the IO registers of a video card with much evil in it. And many
newer video cards are very smart, capable, and thus dangerous. So we
have concerns.
Therefore, after 3.9, that default for the install script question is
being changed to "no".
If you are not using X we recommend ensuring that the aperture is closed.
Please edit /etc/sysctl.conf, change to machdep.allowaperture=0, and
reboot.
