From owner-freebsd-security  Sun Nov 25 11:52:43 2001
Delivered-To: freebsd-security@freebsd.org
Received: from tomts17-srv.bellnexxia.net (tomts17.bellnexxia.net [209.226.175.71])
	by hub.freebsd.org (Postfix) with ESMTP id A91EF37B416
	for <freebsd-security@FreeBSD.ORG>; Sun, 25 Nov 2001 11:52:40 -0800 (PST)
Received: from khan.anarcat.dyndns.org ([65.94.177.56])
          by tomts17-srv.bellnexxia.net
          (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP
          id <20011125195240.XPVV16532.tomts17-srv.bellnexxia.net@khan.anarcat.dyndns.org>;
          Sun, 25 Nov 2001 14:52:40 -0500
Received: from anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1])
	by khan.anarcat.dyndns.org (Postfix) with ESMTP
	id D04C31A1F; Sun, 25 Nov 2001 14:54:52 -0500 (EST)
Message-ID: <3C014C5B.9765067F@anarcat.dyndns.org>
Date: Sun, 25 Nov 2001 14:54:03 -0500
From: The Anarcat <anarcat@anarcat.dyndns.org>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: fr-CA,fr,en
MIME-Version: 1.0
To: Ian Smith <smithi@nimnet.asn.au>
Cc: Brett Glass <brett@lariat.org>,
	Kris Kennaway <kris@obsecurity.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Security zone
References: <Pine.BSF.3.96.1011125230455.14871C-100000@gaia.nimnet.asn.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



Ian Smith wrote:
> 
> On Sat, 24 Nov 2001, Brett Glass wrote:
> 
>  > At 04:11 PM 11/24/2001, Kris Kennaway wrote:
>  >
>  > >It's basically a lie; you can do all this and more under FreeBSD.
>  >
>  > FreeBSD doesn't have per-application control of ports and sockets,
>  > which is what ZoneAlarm *tries* to provide. It'd be nice to add this
>  > as built-in feature, either in the base OS or in ipfw.
> 
> Yeah, Windows security 'features' for FreeBSD, just what we lack! :)
> 
> Can't you do 'per-app' stuff in ipfw with users and/or groups?  Frankly
> I'm more contented relying on having port access control in rc.firewall.

You can't do "per-app" stuff. You can control on the local user or group
id, but that is about it.

Anyways, I can't figure out how one can pretend to have that level of
control over the stack (per-app) and why one would want to have it
anyways.

"apps" are installed/deinstall, modified, upgraded, etc. It would be
impossible and simply useless to have that kind of control.

a.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message