Date: Mon, 21 Jun 2004 11:17:29 -0500 From: Will Andrews <will@csociety.org> To: Max Laier <max@love2party.net> Cc: freebsd-current@freebsd.org Subject: Re: startup error for pflogd Message-ID: <20040621161729.GL7956@sirius.firepipe.net> In-Reply-To: <200406211639.22243.max@love2party.net> References: <20040620134437.P94503@fw.reifenberger.com> <20040620230350.O1720@fw.reifenberger.com> <20040621105114.G9108@fw.reifenberger.com> <200406211639.22243.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--k9xkV0rc9XGsukaG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 21, 2004 at 04:39:10PM +0200, Max Laier wrote: > I'll try to explain the reasoning behind this. If there are a zillion=20 > processes all owned by nobody:nogroup and an attacker manages to obtain= =20 > control over one of them, the rest might be easy/easier prey. The evildoe= r=20 > will have better chances to obtain critical resources and maybe root in t= he=20 > end. I think this is a good approach. In fact, that's what I do on my public mirror servers, i.e. allocate dedicated users for specific tasks to eliminate privilege escalation through them. Regards, --=20 wca --k9xkV0rc9XGsukaG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA1woZF47idPgWcsURAlHZAJ43a1IHDyFguIE1LTcGAHYcEZqIZwCdGkXu 5+aLcb60yudQXWvyvFBcYYo= =52T1 -----END PGP SIGNATURE----- --k9xkV0rc9XGsukaG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040621161729.GL7956>