Re: Security zone
From: Borja Marcos (borjamar@sarenet.es)
Date: 11/28/01
- Next message: Jay Keller: "Updating ssh"
- Previous message: Giorgos Keramidas: "Re: Best security topology for FreeBSD"
- Maybe in reply to: sdkghgh ihidhguhg: "Security zone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Borja Marcos <borjamar@sarenet.es> To: Brett Glass <brett@lariat.org> Date: Wed, 28 Nov 2001 21:18:50 +0100
On Sunday 25 November 2001 17:15, you wrote:
> This only helps if you run every application setuid to a
> unique uid. And then it can't get at your personal files....
> There's an additional matrix of capabilities here that
> ought to be independent of uid or gid.
(Sorry for the delay)
I find the issue a bit complex. Which criteria could I use in ipfw rules?
The program name? I use process accounting in most machines, and it can be a
great tool, but an intruder can notice it and rename his/her programs so that
the executions get logged as harmless commands. At least the uid is more
difficult for an user to alter than a process name.
Or are you thinking about something more complex? Perhaps using program
signatures? For now, I think that the uid/gid parameters in ipfw rules can be
very convenient.
Borja.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Jay Keller: "Updating ssh"
- Previous message: Giorgos Keramidas: "Re: Best security topology for FreeBSD"
- Maybe in reply to: sdkghgh ihidhguhg: "Security zone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
