Buffer overflow?

Hiten Pandya hmp at nxad.com
Sun Aug 3 21:12:48 PDT 2003


Rik van Riel wrote:
Personally I don't think the OS should compromise on the
security infrastructure in order to make things easier
to configure.
I guess the most reasonable solution would be to have the
popular daemons installed in a secure setup by default;
ie. named, apache, the MTA and other important daemons
would come pre-packaged to run in a restricted environment.
That way the security people can tweak everything until
it's right, without having to compromise on security, while
the system administrators get something safe.
I personally like Matt's idea of making strict configuration as to what 
daemons get to access what devices etc; and things like Non-executable 
stack and Binary checksuming would be "Iceing on the Cake."

On the other hand, we also could provide some level of PAM support -- I 
say this because of the amount of PAM modules out there which can be 
used for integrating OSes like DFly in Active Directory and such 
environments.

Even if we take out pain-less integration with Microsoft based 
authentication servers, like Active Directory (effectively done by use 
of pam_ldap and friends); PAM is supported by Linux and Sun.  To 
summarise, if we can provided some sort of PAM compatiblity, it will 
make lives much easier as far as inter-operability is in the picture.

Also, I am not sure about the possiblity or the viability of what I am 
about to suggest; that is, things like ACLs should be done as an overlay 
over a file system, just like Quotas and the ability to make arbitrary 
file systems volumes as root file systems.  So it would be like:

	[ UFS ] -> [ ACL-FS ] -> FS visibility (w/ ACLs)

So then, supposingly, a VFS entry-point exists that can be used by the 
filesystem for storing the ACL information somewhere, be it on-disk, or 
temporarily in memory (depending on what type of file system it is 
ofcourse).

Ofcourse, adding ACL support to userland utilities is just a different 
ball-game altogether. :-)

Cheers.

--
Hiten Pandya
hmp at xxxxxxxx
http://hmp.serverninjas.com/





More information about the Kernel mailing list