and so soon!
http://www.lightbluetouchpaper.org/2007/08/06/usenix-woot07-
exploiting-concurrency-vulnerabilities-in-system-call-wrappers-and-
the-evil-genius/
... "including sudo"...
Here's the pull quote:
The moral, for those unwilling to read the paper, is that system
call wrappers are a bad idea, unless of course, you’re willing to
rewrite the OS to be message-passing. Systems like the TrustedBSD
MAC Framework on FreeBSD and Mac OS X Leopard, Linux Security
Modules (LSM), Apple’s (and now also NetBSD’s) kauth(9), and other
tightly integrated kernel security frameworks offer specific
solutions to these concurrency problems. There’s plenty more to be
done in that area.
Just something to consider in the head-long rush to disable these
technologies.
As for OpenBSD, can we ask the too simple question as to why, if
they're so concerned about security, they've refused to implement
kauth or similar?
Or, you know, even attempt to fix this problem during the past six
months?
I watch the ripples change their size
But never leave the stream
Of warm impermanence and
So the days float through my eyes
But still the days seem the same
And these children that you spit on
As they try to change their worlds
Are immune to your consultations
They're quite aware of what they're going through
sigh_______________________________________________
[email protected] mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
