Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Sep 2011 03:15:18 -0700
From:      Stanislav Sedov <stas@FreeBSD.org>
To:        "Ilya Bakulin" <webmaster@kibab.com>
Cc:        Matt <sendtomatt@gmail.com>, freebsd-hackers@freebsd.org, "Robert N. M. Watson" <robert.watson@cl.cam.ac.uk>, Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>, Ben Laurie <benl@google.com>
Subject:   Re: Capsicum project: Ideas needed
Message-ID:  <20110908031518.481d8a78.stas@FreeBSD.org>
In-Reply-To: <2c9d3cc8a0b85313f55f53ca573af81a.squirrel@zugang.kibab.com>
References:  <4E167C94.70300@kibab.com> <4E1685D8.403@gmail.com> <2c9d3cc8a0b85313f55f53ca573af81a.squirrel@zugang.kibab.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 8 Jul 2011 15:09:52 +0400
"Ilya Bakulin" <webmaster@kibab.com> mentioned:

> [CCing Ben, Robert and Jonathan as it's very important for me to receive
> their feedback about my thoughts]
> 
> Let me focus on those application ideas that you've mentioned. All the
> following are my thoughts and this may be incorrect, in this case please
> correct me.
> 
> > -any server software
> Yes, server software is a good candidate for bringing cap.mode in. Though
> this applies to servers that do not include in-process support for
> interpreters (ie Apache + mod_php), see later why. Such software as nginx,
> lighttpd is OK. Speaking about base system components, this list includes
> inetd daemons (but modification of inetd itself is NOT sufficient and
> ineffective, capability support implies modifying code of daemons)

I would also suggest our Heimdal Kerberos implementation as it performs
a lot of non-trivial ASN.1 and GSSAPI decapsulation/encapsulation when
processing packets and we saw a lot of vulenrabilities in the past in
these areas.  Unfortunately, Heimdal will be probably to large to break
into compartments.

-- 
Stanislav Sedov
ST4096-RIPE

()  ascii ribbon campaign - against html e-mail 
/\  www.asciiribbon.org   - against proprietary attachments

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110908031518.481d8a78.stas>