Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Jan 96 09:16:31 -0800
From:      Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Nathan Lawson <nlawson@statler.csc.calpoly.edu>
Cc:        pst@shockwave.com (Paul Traina), security@FreeBSD.org
Subject:   Re: Ownership of files/tcp_wrappers port  
Message-ID:  <199601241716.JAA13076@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Tue, 23 Jan 96 12:06:06 PST." <199601232006.MAA11043@statler.csc.calpoly.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Nathan Lawson <nlawson@statler.csc.calpoly.edu> writes:
> > 	(b) it's already trivial for a user to add this support into the
> > 	    base system should they desire it
> 
> Not true.  Many utilities like mountd, portmap, and ypserv have to be 
> recompiled to have additional access control, inetd.conf has to be changed,
> etc.  Repeat this on several hundred machines and you start seeing Slackware'
s
> divided install look pretty good.

I disagree.  There is no need to recompile these utilities to have any 
additional access control if you want to use the IPFW code that is already in 
the kernel.  The IPFW code in the kernel doesn't do any DNS lookups like TCPD 
does but it gives you a basic level of security without breaking any application 
code.

It may be an idea to enhance the IPFW code in the kernel to do some periodic DNS 
lookups, e.g. if this is the first time the kernel has seen a packet from 
location X or if location X hasn't been verified in N hours/minutes then do the 
appropriate lookups to make IP spoofing more difficult. A kernel level 
KILL_IP_OPTIONS option could be a valuable extension as well.

By keeping the code in the kernel (or library), adding additional security 
features to a service and controlling these features could be performed via some 
config file rather than a recompile.


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601241716.JAA13076>