| From: | Pawel Jakub Dawidek <nick@xxxxxxxxxxxxxxxxx> |
| Date: | Tue, 26 Aug 2003 12:01:13 +0200 |
On Fri, Aug 01, 2003 at 06:12:46PM -0700, Matthew Dillon wrote: +> Consider the difference between running something like named as we run +> it now, even in a chroot'd environment, verses running something like +> named in a restricted environment which has the rules: +> +> * R/W allowed in /etc/namedb/s, /etc/namedb/run, and +> /var/run/named.pid +> +> * /dev access only to /dev/null and /dev/zero +> +> * read-access to standard /etc config files for libc support, +> which does NOT include access to the password file. +> +> * no ability to run suid/sgid programs or to connect to any +> socket resource other then port X, Y, and Z. +> +> * no other access (no ability to exec suid/sgid programs, no +> ability to access other socket resources, no ability to access +> random devices in /dev, no ability to run esoteric system calls +> that named has no business running, whether they are supposed to +> be secure or not. No ability to access the password file or +> database). +> +> The same can be said for Apache, sendmail, and just about any other +> service one might run, as well as programs like sudo which are +> ridiculouslyl dangerous. You can look at my project - CerbNG wich provide such functionality in its own way: http://cerber.sourceforge.net and here are example policies: http://cerber.sourceforge.net/policies/ I'm considering porting CerbNG to DFly while it is based on FreeBSD 4.x. -- Pawel Jakub Dawidek pawel@xxxxxxxxxxx UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net
Attachment:
pgp00003.pgp
Description: PGP signature