Date: Sat, 15 Aug 1998 14:48:11 +0000 From: Niall Smart <rotel@indigo.ie> To: Philippe Regnauld <regnauld@deepo.prosa.dk>, rotel@indigo.ie Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK> Message-ID: <199808151348.OAA00655@indigo.ie> In-Reply-To: <19980815131309.14782@deepo.prosa.dk>; Philippe Regnauld <regnauld@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 15, 1:13pm, Philippe Regnauld wrote: } Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE. > Niall Smart writes: > > > > As for the example mentioned (no execve for imapd), I'm not sure > > its at all useful. > > Just because someone can't execve doesn't mean they can't add an entry > > to /etc/passwd or modify roots or the sysadmins .login etc > > The point was to limit the number of outside attacks on > priviledged network daemons. Once the system has been broken > into, it's over... "Just keep people out" I'm not sure what you mean by this; disabling execve doesn't prevent outside attacks on network daemons. > > Even better is additionally make chroot secure and put it in there. > > What do you call "making chroot secure" ? Making sure that a chroot process can't escape the jail and can't directly affect processes outside the jail. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808151348.OAA00655>