From owner-freebsd-security Wed Jul 5 16:24:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C8AD337BC56; Wed, 5 Jul 2000 16:24:40 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id QAA99994; Wed, 5 Jul 2000 16:24:40 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 5 Jul 2000 16:24:40 -0700 (PDT) From: Kris Kennaway To: Susie Ward Cc: freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <4.3.1.2.20000705165602.00da1ee0@mail.voltage.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 Jul 2000, Susie Ward wrote: > At 05:09 PM 7/5/00 -0400, Bill Fumerola wrote: > >Yes, and the original poster demonstrated even further stupidity > >by adding a proprietary product (SecureBSD 1.0) into the mix and > >then expect that we support it. > > Speaking of SecureBSD, does anyone have any opinions on the usefulness of > SecureBSD? I've thought about testing it out, but I don't have any servers > at the moment to be playing with so I've been putting it off. A lot of the features it provides aren't likely to be that useful in the real world (limiting the ability to perform common syscalls to members of a particular group, etc). The ability to only execute binaries with a signature preloaded into the kernel, or to only execute binaries owned by root may be of some use given enough work to tighten your system down, but on the other hand you'd better not have any scripting languages installed on your system (/bin/sh, anyone?) ;-) I haven't looked at it beyond reading the (minimal) supplied documentation because I'm scared of the license terms and what the securebsd people might do to me if they catch up with me after I've read the code, but as an end user by all means take a look and see if you think it's useful for you. My opinion so far is that it probably doesn't do enough to present more than an annoyance to a determined intruder unless you really spend a lot of time to tighten down your system (and severely limit its functionality). Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message