On Fri, 8 Jul 2011 15:09:52 +0400
"Ilya Bakulin" mentioned:
> [CCing Ben, Robert and Jonathan as it's very important for me to receive
> their feedback about my thoughts]
>
> Let me focus on those application ideas that you've mentioned. All the
> following are my thoughts and this may be incorr
On Thu, 4 Aug 2011, Lars Engels wrote:
I just stumbled upon this rather outdated thread...
On Fri, 8 Jul 2011 15:09:52 +0400, Ilya Bakulin wrote: [...]
wget curl links/lynx
This is Ports software, we may try to modify it and even send patches to
upstream, or maintain our local patches. I wan
I just stumbled upon this rather outdated thread...
On Fri, 8 Jul 2011 15:09:52 +0400, Ilya Bakulin wrote:
[...]
wget
curl
links/lynx
This is Ports software, we may try to modify it and even send patches
to
upstream, or maintain our local patches. I wanted to focus on base
system
components du
On 07/11/2011 05:08, Ilya Bakulin wrote:
> chroot constraints only filesystem namespace, but doesn't prevent process
> from sending/receiving data via network,
... which is kind of important for DNS software. :)
> or from accessing other global
> namespaces such as PID namespace, SHM namespace, a
chroot constraints only filesystem namespace, but doesn't prevent process
from sending/receiving data via network, or from accessing other global
namespaces such as PID namespace, SHM namespace, and from executing any
system calls.
In contract to chroot, Capsicum framework significantly increases
a
On 07/09/2011 07:54, Gabor Kovesdan wrote:
> Anyway, consider sendmail and BIND. I think these are important enough
> to get some more protection.
What additional protection could capsicum offer beyond chroot'ing?
(That's not a snark, I don't quite understand all the moving parts here.)
Doug
--
On (09/07/2011 15:54), Gabor Kovesdan wrote:
> Em 08-07-2011 13:23, Ivan Voras escreveu:
> > On 08/07/2011 05:42, Ilya Bakulin wrote:
> >> Hi hackers,
> >> As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
> >> system, I want to ask you, which applications in the base system
Em 08-07-2011 13:23, Ivan Voras escreveu:
On 08/07/2011 05:42, Ilya Bakulin wrote:
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
How about a small descript
On 8 Jul 2011, at 19:08, Brian Reichert wrote:
> On Fri, Jul 08, 2011 at 07:42:12AM +0400, Ilya Bakulin wrote:
>> The question is: which applications should also be processed? I think
>> that the most wanted candidates are SUID programs and/or popular network
>> daemons.
>
> I propose 'man'; sne
On Fri, Jul 08, 2011 at 07:42:12AM +0400, Ilya Bakulin wrote:
> The question is: which applications should also be processed? I think
> that the most wanted candidates are SUID programs and/or popular network
> daemons.
I propose 'man'; sneaky stuff can happen there
Dunno if that meshes with
FWIW;
I would think ftpd, which may require an update too,
would be a classical candidate. Perhaps also telnetd.
I recall sendmail calls bin/sh for some things and there
is an option for a restricted shell (rsh), so supporting
a shell would help sendmail too.
And then some stuff like ipfw is nev
On 07/08/2011 05:42 AM, Ilya Bakulin wrote:
> The question is: which applications should also be processed? I think
> that the most wanted candidates are SUID programs and/or popular network
> daemons.
> But looking at gzip example I also think about text-processing tools in
> general.
I think tcpd
On 8 July 2011 12:09, Ilya Bakulin wrote:
> modification of inetd itself is NOT sufficient and
> ineffective, capability support implies modifying code of daemons
Speaking as someone who isn't terribly familiar with inetd:
One could imagine inetd (or an inetd-like service) accepting
connections,
On 08/07/2011 05:42, Ilya Bakulin wrote:
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
How about a small description what sandboxing can bring to applicatio
On 8 Jul 2011, at 05:02, Matt Olander wrote:
> What about inetd? Is that possible or does each service it support
> need sandboxing, too? How about sendmail and bind?
I'm less concerned about the core connection juggling content of inetd than the
external services it launches -- however, inetd
[CCing Ben, Robert and Jonathan as it's very important for me to receive
their feedback about my thoughts]
Let me focus on those application ideas that you've mentioned. All the
following are my thoughts and this may be incorrect, in this case please
correct me.
> -any server software
Yes, server
On 07/07/11 20:42, Ilya Bakulin wrote:
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
So far, the following applications were sandboxed during initial
Capsicum
On Thu, Jul 7, 2011 at 8:42 PM, Ilya Bakulin wrote:
> Hi hackers,
> As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
> system, I want to ask you, which applications in the base system should
> receive sandboxing support.
> So far, the following applications were sandboxed d
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
So far, the following applications were sandboxed during initial
Capsicum research project:
sshd: critical system
19 matches
Mail list logo
