Date: Tue, 29 Jun 2004 14:20:23 -0500 From: Kevin Lyons <kevin_lyons@ofdengineering.com> To: Colin Percival <colin.percival@wadham.ox.ac.uk> Cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons Message-ID: <40E1C0F7.7050105@ofdengineering.com> In-Reply-To: <6.1.0.6.1.20040629112919.03bcffc8@popserver.sfu.ca> References: <40E1A6C0.2040406@ofdengineering.com> <6.1.0.6.1.20040629112919.03bcffc8@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Percival wrote: > At 10:28 29/06/2004, Kevin Lyons wrote: > >>I was reading with some surprise that some of the MAC and other "addons" from trusted bsd are to be incorporated. >> >>I can already see the security advisories for these things like we've had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad infinitum. > > > It's worth noting that some of these advisories are rather esoteric. > For example, FreeBSD-SA-04:09.kadmind doesn't affect any binary > installations of FreeBSD, since it requires that both Kerberos 4 and > Kerberos 5 are built. > > Meanwhile, despite having two security issues with jails (issues > which weakened jails, but did not allow any privilege beyond that of > an un-jailed user), there was one advisory (FreeBSD-SA-04:06.ipv6) > for which jails (in their default configuration) were a specific > workaround. Some of them are not esoteric. So, following the current logic, I guess we'll have more "jails" for jail and more wrappers for wrapper :) ? Presumably FreeBSD r-eng runs some kind of audit on port source like that mentioned in "Building Secure Software". Maybe that audit process should be improved rather than trying to add more layers of paint to fill in the cracks (proverbial)? -- Kevin Lyons OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079 Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons@ofdengineering.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40E1C0F7.7050105>