Date: Wed, 28 Nov 2001 21:18:50 +0100 From: Borja Marcos <borjamar@sarenet.es> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org Subject: Re: Security zone Message-ID: <200111282018.fASKIqA25080@borja.sarenet.es> In-Reply-To: <4.3.2.7.2.20011125091418.049f7450@localhost> References: <4.3.2.7.2.20011124162959.04085de0@localhost> <4.3.2.7.2.20011125091418.049f7450@localhost>
index | next in thread | previous in thread | raw e-mail
On Sunday 25 November 2001 17:15, you wrote: > This only helps if you run every application setuid to a > unique uid. And then it can't get at your personal files.... > There's an additional matrix of capabilities here that > ought to be independent of uid or gid. (Sorry for the delay) I find the issue a bit complex. Which criteria could I use in ipfw rules? The program name? I use process accounting in most machines, and it can be a great tool, but an intruder can notice it and rename his/her programs so that the executions get logged as harmless commands. At least the uid is more difficult for an user to alter than a process name. Or are you thinking about something more complex? Perhaps using program signatures? For now, I think that the uid/gid parameters in ipfw rules can be very convenient. Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111282018.fASKIqA25080>