From owner-freebsd-security  Sat Aug 15 06:58:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA29510
          for freebsd-security-outgoing; Sat, 15 Aug 1998 06:58:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (ts03-048.dublin.indigo.ie [194.125.148.58])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA29491
          for <freebsd-security@FreeBSD.ORG>; Sat, 15 Aug 1998 06:58:06 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id OAA00655;
	Sat, 15 Aug 1998 14:48:16 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199808151348.OAA00655@indigo.ie>
Date: Sat, 15 Aug 1998 14:48:11 +0000
In-Reply-To: <19980815131309.14782@deepo.prosa.dk>; Philippe Regnauld <regnauld@deepo.prosa.dk>
Reply-To: rotel@indigo.ie
X-Files: The truth is out there
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Philippe Regnauld <regnauld@deepo.prosa.dk>, rotel@indigo.ie
Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK>
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Aug 15,  1:13pm, Philippe Regnauld wrote:
} Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.
> Niall Smart writes:
> > 
> > As for the example mentioned (no execve for imapd), I'm not sure
> > its at all useful.  
> > Just because someone can't execve doesn't mean they can't add an entry
> > to /etc/passwd or modify roots or the sysadmins .login etc
> 
> 	The point was to limit the number of outside attacks on 
> 	priviledged network daemons.  Once the system has been broken
> 	into, it's over...  "Just keep people out"

I'm not sure what you mean by this; disabling execve doesn't prevent
outside attacks on network daemons.

> > Even better is additionally make chroot secure and put it in there.
> 
> 	What do you call "making chroot secure" ?

Making sure that a chroot process can't escape the jail and can't
directly affect processes outside the jail.

Niall

-- 
Niall Smart, rotel@indigo.ie.
Amaze your friends and annoy your enemies:
echo '#define if(x) if (!(x))' >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message