Date: Fri, 18 Feb 2000 22:35:38 +0200 From: Mark Murray <mark@grondar.za> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Lyndon Nerenberg <lyndon@orthanc.ab.ca>, Peter Wemm <peter@netplex.com.au>, current@FreeBSD.ORG, committers@FreeBSD.ORG Subject: Re: Crypto progress! (And a Biiiig TODO list) Message-ID: <200002182035.WAA28827@gratis.grondar.za> In-Reply-To: <Pine.BSF.3.96.1000218115512.39111G-100000@fledge.watson.org> ; from Robert Watson <robert@cyrus.watson.org> "Fri, 18 Feb 2000 11:59:02 EST." References: <Pine.BSF.3.96.1000218115512.39111G-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Another technique that could be used, and gets discussed occasionally on > -security, is passing authentication information via ancillary data > transfer on UNIX domain sockets. You could limit the effectiveness of DOS > attacks by rate limiting per-uid, for example. Why is this being discussed as if it is new? This is what my tool _does_, for crying out loud!! > It should be noted that both the old and new schemes are subject to > denial of service--the old due to locking, and the new due to socket/IPC > limits, among other things. I would argue, however, that the new > mechanism reduces risk as it would allow us to remove the setuid bit from > a number of binaries, instead relying on a single auditable code base in > the password file manager. Right!! Forward motion. > If we plan to move to more daemons using IPC to communicate in this style, > we might want to think about consistency guidelines for doing this. For > example, mandating an LPC structure of some sort, or managing parallelism > on a single pipe, etc. Also, documenting techniques that tend to reduce > the risk of denial of service for daemons offering IPC services. Sure. Code/Documetation welcome. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002182035.WAA28827>