Date: Wed, 28 Nov 2001 21:18:50 +0100 From: Borja Marcos <borjamar@sarenet.es> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org Subject: Re: Security zone Message-ID: <200111282018.fASKIqA25080@borja.sarenet.es> In-Reply-To: <4.3.2.7.2.20011125091418.049f7450@localhost> References: <4.3.2.7.2.20011124162959.04085de0@localhost> <4.3.2.7.2.20011125091418.049f7450@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 25 November 2001 17:15, you wrote: > This only helps if you run every application setuid to a > unique uid. And then it can't get at your personal files.... > There's an additional matrix of capabilities here that > ought to be independent of uid or gid. =09(Sorry for the delay) =09I find the issue a bit complex. Which criteria could I use in ipfw rul= es?=20 The program name? I use process accounting in most machines, and it can b= e a=20 great tool, but an intruder can notice it and rename his/her programs so = that=20 the executions get logged as harmless commands. At least the uid is more=20 difficult for an user to alter than a process name. =09Or are you thinking about something more complex? Perhaps using progra= m=20 signatures? For now, I think that the uid/gid parameters in ipfw rules ca= n be=20 very convenient. =09Borja. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111282018.fASKIqA25080>