> Unless I am sorely mistaken, systrace can be broken by any user with
> enough priviliges to run two processes.
Well, then you are sorely mistaken. One of your processes can break
the other one. What's the big deal. Where's the priviledge
escalation? There is none.
You overstate the situatio
On Mon, Oct 15, 2007 at 09:30:02PM -0500, Aaron wrote:
> The types of machines I will be running (...) I run pf [on my
> workstation] and only allow pass out w/return traffic allowed, no
> services at all) will be single or dual purpose servers.. i.e. http,
> smtp, imap etc, not machines that are r
Aaron wrote:
Joachim Schipper wrote:
On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
Hi *,
I'm busy with a systrace/stsh implementation but there is a lack of
standard
policies (IMHO). Any idea where I can find some ready-to-use policies?
I must be missing some important o
On Sun, Oct 14, 2007 at 03:27:20PM -0500, Aaron wrote:
> I hope i'm not out of line changing the thread but this seemed like a good
> place to ask this question.
Not at all, and changing the thread title when changing the thread
subjet is a welcome relief from the usual misc@ practice.
>I'm
Eduardo Tongson wrote:
Robert Watson's paper discusses concurrency vulnerabilities. Impact
include policy bypass and audit trail invalidation. A bypass means it
is useless. That pretty much hammered in the last nail on the coffin
for security tools based on system call interposition.
I actuall
On 10/14/07, Steve Shockley <[EMAIL PROTECTED]> wrote:
> The white paper for the systrace vulnerability was a little bit beyond
> me; what's the impact of the issue? Is a system running systrace *more*
> vulnerable than a normal system, or is the problem just that a
> determined user can circumven
On 10/15/07, Eduardo Tongson <[EMAIL PROTECTED]> wrote:
>
> Robert Watson's paper discusses concurrency vulnerabilities. Impact
> include policy bypass and audit trail invalidation. A bypass means it
> is useless. That pretty much hammered in the last nail on the coffin
> for security tools based o
Robert Watson's paper discusses concurrency vulnerabilities. Impact
include policy bypass and audit trail invalidation. A bypass means it
is useless. That pretty much hammered in the last nail on the coffin
for security tools based on system call interposition.
On 10/15/07, Steve Shockley <[EMAIL
2007/10/14, Aaron <[EMAIL PROTECTED]>:
> I guess with all the hoopla about 'hardening'/trusted this and
> that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for
As others have already pointed out these knobs might not be useful to
your setup and your needs. Think also that more
Joachim Schipper wrote:
You should probably do a Google search on systrace before continuing
further down this road. In particular, I believe the issue highlighted
by Robert Watson has not been fixed yet (although I could be wrong, and
would be happy to be wrong in this case).
The white paper f
On 10/14/07, Aaron <[EMAIL PROTECTED]> wrote:
[snip]
> I guess with all the hoopla about 'hardening'/trusted this and
> that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for
> ways to tweak things (which i know can end up either making things less
> secure (especially with fa
Joachim Schipper wrote:
On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
Hi *,
I'm busy with a systrace/stsh implementation but there is a lack of standard
policies (IMHO). Any idea where I can find some ready-to-use policies?
I must be missing some important ones, when the u
On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
> Hi *,
>
> I'm busy with a systrace/stsh implementation but there is a lack of standard
> policies (IMHO). Any idea where I can find some ready-to-use policies?
>
> I must be missing some important ones, when the user logs in, he go
Hi *,
I'm busy with a systrace/stsh implementation but there is a lack of standard
policies (IMHO). Any idea where I can find some ready-to-use policies?
I must be missing some important ones, when the user logs in, he got immediately
the following error:
systrace: getcwd: Permission denied
Xav
14 matches
Mail list logo
