From owner-freebsd-security  Sat Aug 15 04:14:42 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA17523
          for freebsd-security-outgoing; Sat, 15 Aug 1998 04:14:42 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17516
          for <freebsd-security@FreeBSD.ORG>; Sat, 15 Aug 1998 04:14:39 -0700 (PDT)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.254])
	by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA12410;
	Sat, 15 Aug 1998 13:19:18 +0200 (CEST)
	(envelope-from regnauld@deepo.prosa.dk)
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA23469;
	Sat, 15 Aug 1998 13:21:50 +0200 (CEST)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA16225;
	Sat, 15 Aug 1998 13:13:09 +0200 (CEST)
Message-ID: <19980815131309.14782@deepo.prosa.dk>
Date: Sat, 15 Aug 1998 13:13:09 +0200
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: rotel@indigo.ie
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK>
References: <19980814123240.63855@deepo.prosa.dk> <199808142212.XAA01134@indigo.ie>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88e
In-Reply-To: <199808142212.XAA01134@indigo.ie>; from Niall Smart on Fri, Aug 14, 1998 at 11:12:12PM +0000
X-Operating-System: FreeBSD 2.2.6-RELEASE i386
Phone: +45 3336 4148
Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark
Organization: PROSA
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Niall Smart writes:
> 
> As for the example mentioned (no execve for imapd), I'm not sure
> its at all useful.  
> Just because someone can't execve doesn't mean they can't add an entry
> to /etc/passwd or modify roots or the sysadmins .login etc

	The point was to limit the number of outside attacks on 
	priviledged network daemons.  Once the system has been broken
	into, it's over...  "Just keep people out"

> Even better is additionally make chroot secure and put it in there.

	What do you call "making chroot secure" ?

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-

               The Internet is busy.  Please try again later.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message