From owner-freebsd-chat@FreeBSD.ORG Tue Jun 29 19:20:33 2004 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65A7016A4CE for ; Tue, 29 Jun 2004 19:20:33 +0000 (GMT) Received: from mail2.atl.registeredsite.com (mail2.atl.registeredsite.com [64.224.219.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1FBF43D4C for ; Tue, 29 Jun 2004 19:20:32 +0000 (GMT) (envelope-from kevin_lyons@ofdengineering.com) Received: from imta01a2.registeredsite.com (imta01a2.registeredsite.com [64.225.255.10])i5TJKS00030724; Tue, 29 Jun 2004 19:20:28 GMT Received: from ofdengineering.com ([66.137.123.97]) by imta01a2.registeredsite.com with ESMTP <20040629192028.ZADI4075.imta01a2.registeredsite.com@ofdengineering.com>; Tue, 29 Jun 2004 15:20:28 -0400 Message-ID: <40E1C0F7.7050105@ofdengineering.com> Date: Tue, 29 Jun 2004 14:20:23 -0500 From: Kevin Lyons User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Colin Percival References: <40E1A6C0.2040406@ofdengineering.com> <6.1.0.6.1.20040629112919.03bcffc8@popserver.sfu.ca> In-Reply-To: <6.1.0.6.1.20040629112919.03bcffc8@popserver.sfu.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 19:20:33 -0000 Colin Percival wrote: > At 10:28 29/06/2004, Kevin Lyons wrote: > >>I was reading with some surprise that some of the MAC and other "addons" from trusted bsd are to be incorporated. >> >>I can already see the security advisories for these things like we've had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad infinitum. > > > It's worth noting that some of these advisories are rather esoteric. > For example, FreeBSD-SA-04:09.kadmind doesn't affect any binary > installations of FreeBSD, since it requires that both Kerberos 4 and > Kerberos 5 are built. > > Meanwhile, despite having two security issues with jails (issues > which weakened jails, but did not allow any privilege beyond that of > an un-jailed user), there was one advisory (FreeBSD-SA-04:06.ipv6) > for which jails (in their default configuration) were a specific > workaround. Some of them are not esoteric. So, following the current logic, I guess we'll have more "jails" for jail and more wrappers for wrapper :) ? Presumably FreeBSD r-eng runs some kind of audit on port source like that mentioned in "Building Secure Software". Maybe that audit process should be improved rather than trying to add more layers of paint to fill in the cracks (proverbial)? -- Kevin Lyons OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079 Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons@ofdengineering.com