Buffer overflow?
Jeremy Messenger
mezz7 at cox.net
Tue Aug 26 12:34:05 PDT 2003
On Tue, 26 Aug 2003 12:01:13 +0200, Pawel Jakub Dawidek wrote:
> On Fri, Aug 01, 2003 at 06:12:46PM -0700, Matthew Dillon wrote: +>
> Consider the difference between running something like named as we run
> +> it now, even in a chroot'd environment, verses running something
> like +> named in a restricted environment which has the rules: +>
> +> * R/W allowed in /etc/namedb/s, /etc/namedb/run, and +>
> /var/run/named.pid
> +>
> +> * /dev access only to /dev/null and /dev/zero +>
> +> * read-access to standard /etc config files for libc support, +>
> which does NOT include access to the password file. +>
> +> * no ability to run suid/sgid programs or to connect to any +>
> socket resource other then port X, Y, and Z. +>
> +> * no other access (no ability to exec suid/sgid programs, no +>
> ability to access other socket resources, no ability to access +>
> random devices in /dev, no ability to run esoteric system calls +>
> that named has no business running, whether they are supposed to +>
> be secure or not. No ability to access the password file or +>
> database).
> +>
> +> The same can be said for Apache, sendmail, and just about any
> other +> service one might run, as well as programs like sudo which
> are +> ridiculouslyl dangerous.
>
> You can look at my project - CerbNG wich provide such functionality in
> its own way:
>
> http://cerber.sourceforge.net
>
> and here are example policies:
>
> http://cerber.sourceforge.net/policies/
I keep get the 403 Forbidden page when I try to view each of example
policies.
Cheers,
Mezz
> I'm considering porting CerbNG to DFly while it is based on FreeBSD 4.x.
More information about the Kernel
mailing list