Date: Wed, 24 Jan 96 09:16:31 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: Nathan Lawson <nlawson@statler.csc.calpoly.edu> Cc: pst@shockwave.com (Paul Traina), security@FreeBSD.org Subject: Re: Ownership of files/tcp_wrappers port Message-ID: <199601241716.JAA13076@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Tue, 23 Jan 96 12:06:06 PST." <199601232006.MAA11043@statler.csc.calpoly.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Nathan Lawson <nlawson@statler.csc.calpoly.edu> writes: > > (b) it's already trivial for a user to add this support into the > > base system should they desire it > > Not true. Many utilities like mountd, portmap, and ypserv have to be > recompiled to have additional access control, inetd.conf has to be changed, > etc. Repeat this on several hundred machines and you start seeing Slackware' s > divided install look pretty good. I disagree. There is no need to recompile these utilities to have any additional access control if you want to use the IPFW code that is already in the kernel. The IPFW code in the kernel doesn't do any DNS lookups like TCPD does but it gives you a basic level of security without breaking any application code. It may be an idea to enhance the IPFW code in the kernel to do some periodic DNS lookups, e.g. if this is the first time the kernel has seen a packet from location X or if location X hasn't been verified in N hours/minutes then do the appropriate lookups to make IP spoofing more difficult. A kernel level KILL_IP_OPTIONS option could be a valuable extension as well. By keeping the code in the kernel (or library), adding additional security features to a service and controlling these features could be performed via some config file rather than a recompile. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601241716.JAA13076>