Re: [fw-wiz] Web server security?

From: Paul D. Robertson (
Date: 06/22/04

  • Next message: "Re: [fw-wiz] Exchange & Blackberry"
    To: Crispin Cowan <>
    Date: Tue, 22 Jun 2004 11:01:02 -0400 (EDT)

    On Tue, 22 Jun 2004, Crispin Cowan wrote:

    > Previously available only as a feature of Immunix OS, SubDomain is now
    > available as a stand-alone product for Linux 2.6 systems via the LSM
    > interface for pluggable security modules. In the near term, since
    > Immunix requires Linux 2.6, that means SuSE 9.1.

    I'm unlikely to do a major kernel version upgrade on my only personal Web
    server until I'm comfortable with 2.6.

    "Product" sounds like money, and for my personal sites, I'd rather spend
    time than money, especially if I end up with something that's redeployable
    for other reasons. I'm not all that enthused about the reported 2.6
    syscall table changes, as it'll stop some of the ad-hoc kernel patching
    I've been doing with modules (or make the modules more complex and less
    easy to validate.) It'll also make me have to change my kernel code to do
    things I've been doing in modules...

    > >I've got a kernel module
    > >that needs dusting off that doesn't allow daemons to execve, which makes
    > >things a little better for that last vector...
    > >
    > >
    > SubDomain also controls the set of programs that any given program can
    > exec, so preventing a daemon from exec'ing nastyness, or preventing
    > Apache from exec'ing surprising things, is easy.

    As I said, I'm using gcgi, so controlling things from my end isn't all
    that difficult, and I've already got the kernel module :) Since my way
    covers my resolver and any associated cruft I'm running for other reasons,
    I'm relatively happy with it- I'd just prefer to do a more formally proven

    > >Nope, I'm going to put SSL on my personal server in an attempt to sell
    > >some of my photography, and I know the additional complexity is going to
    > >require more frequent updates.
    > >
    > I don't follow. A strong MAC security policy should *reduce* the
    > frequency of security updates. A *flexible* MAC security policy should

    Right, but without MAC, I'm going to be updating my server more and more
    often, since I'm now bringing the entire OpenSSL swath of bugs onto the
    server. Once I start the commerce thing, I'll probably have to switch off
    of the good SSH as well, and go with the GNU replacement or OpenSSH, so
    again, more rapid changes than I'm used to. Likely I'll avoid OpenSSH
    for comfort reasons.

    > allow you to upload additional content without having to change the
    > security policy; SubDomain lets you use regular expressions and
    > recursion to allow access to, say, all of the .html and .jpg files in a
    > specified directory tree. What is it you anticipate having to update
    > frequently?

    Apache and OpenSSL. I really like the idea of something like UML though,
    but I haven't benched it yet. For most of my stuff, performance isn't a
    big deal, but I've got one site that really wants performance, and until I
    can get it moved over somewhere, I'll design for that site.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: "Re: [fw-wiz] Exchange & Blackberry"

    Relevant Pages

    • NFS problems with through 2.5.x to 2.6.0-test9
      ... When the server is running the ... kernel, as a client the 2.6 series seem to work perfectly, excluding ... Interesting problem arose when I attempted switch the server's kernel to ... with and without nfsv4 support compiled in (was considering testing it at ...
    • [Summary] SunRay server failure
      ... SunRay Server Software 1.3 ... Kernel: panic: AutoRenewDHCP: IPA lease expired -- must restart ...
    • Re: Managing "capabilities" for security
      ... a capability to 100 other tasks. ... The kernel is unaware that I have made these transfers -- it's ... expanded the ticket to include an "authorized user" field which ... kernel pass it on to the service and rely on the *server* to ...
    • Re: FC14 to FC15 Preinstall stuck, replond.xml and repos NOT updated!
      ... server, web server, ftp server, router, desktops, and had a lot of fun, ... I never want to hear that "Dump Fedora" stuff ... system to at least run an FC15 kernel so I can get back into X again. ...
    • Re: NFS EINVAL on open(... | O_TRUNC) on
      ... The bug (userspace server side i would say at this point) is well described from the author of an nfs-user-server patch which has not been managed yet. ... The nfs patch is of course waiting for commit since august, ... What isn't quite clear to me is whether this commit causes your user- space server to start failing suddenly, or it causes the client to start sending the special non-standard time stamps in the SETATTR request. ... it would be helpful if you could run this test with a constant kernel version on one side while varying it on the other. ...