"TrustedBSD" addons

Kevin Lyons kevin_lyons at ofdengineering.com
Tue Jun 29 12:20:33 PDT 2004



Colin Percival wrote:

> At 10:28 29/06/2004, Kevin Lyons wrote:
> 
>>I was reading with some surprise that some of the MAC and other "addons" from trusted bsd are to be incorporated.
>>
>>I can already see the security advisories for these things like we've had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad infinitum.
> 
> 
> It's worth noting that some of these advisories are rather esoteric.
> For example, FreeBSD-SA-04:09.kadmind doesn't affect any binary
> installations of FreeBSD, since it requires that both Kerberos 4 and
> Kerberos 5 are built.
> 
> Meanwhile, despite having two security issues with jails (issues
> which weakened jails, but did not allow any privilege beyond that of
> an un-jailed user), there was one advisory (FreeBSD-SA-04:06.ipv6)
> for which jails (in their default configuration) were a specific
> workaround.

Some of them are not esoteric.  So, following the current logic, I guess 
we'll have more "jails" for jail and more wrappers for wrapper :) ? 
Presumably FreeBSD r-eng runs some kind of audit on port source like 
that mentioned in "Building Secure Software".  Maybe that audit process 
should be improved rather than trying to add more layers of paint to 
fill in the cracks (proverbial)?


-- 
Kevin Lyons
OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079
Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons at ofdengineering.com




More information about the freebsd-chat mailing list