jails, ipfilter & stunnel
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Tue Jul 15 03:53:44 PDT 2003
On Tue, Jul 15, 2003 at 12:28:14PM +0200, Uwe Doering wrote:
+> >IMHO security solutions that are "harder to break", aren't security
+> >solutions.
+>
+> Sure, everybody should afford an opinion. However, as you are certainly
+> aware there is no absolute security, no magic bullet. Security is like
+> an onion, with multiple layers. You grab as many layers as you can
+> under the given circumstances and try to make the best of it.
Yes, you're right, but I'm not talking about this.
For example: You want to denied users to see other users processes.
What can you do:
1. chmod a-x /bin/ps.
2. sysctl security.bsd.see_other_uids=0
1st solution isn't to secure:) and I'm talking about this. You're aware
of its "incompletness". It is "harder to break", because someone have
to run top(1) or his own ps(1), but please...
2nd soultion is the right one, because it is complete and it isn't against
lazy "attackers".
Of course there could be bug in implementation, but you aren't aware
of it and we aren't talking about this here. Important thing is that
it is tight. Risk calculation problem is another topic.
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030715/94c05b35/attachment.bin
More information about the freebsd-security
mailing list