On Sat, 21 Sep 2002, Pong wrote: > > > On Sat, 21 Sep 2002, Ian C. Sison wrote: > > > > monolithic: > > > Yes, bind and linux can be _________ ? What's the point? > > > > An OS kernel is too complex and too low level to be broken up into > > different proglets unlike a relatively simple application like an MTA or > > Name server. If we all insisted on a micro-kernel type of Linux, we would > > still be in the pre-alpha stage right now just like the GNU Hurd. A line > > must be drawn, and it's usually on the side of practicality. > > > > i agree on this very much. not every piece of software needs to be > modular nor monolithic. there are always exceptions. > > > > > > Insecure: > > > Historically yes. with the new version or old version? > > > > A software's history of security issues is enough evidence for me as to > > why its monolith structure is prone to security problems. For now the > > drop priv band aid of sendmail works, but i just wonder how long it will. > > by why did this baloon to a big issue? because sendmail always runs as > root so there is a need to drop privs *in every situation* since it's a > monolithic setuid executable. it's like logging into your box as root then > su-ing to a normal user for each task. to avoid that, qmail and postfix > were designed to be modular so that root usage was isolated to the modules > that needed it. therefore, the problem is not on dropping privs, but on > being root inappropriately.
Also to add to this, the latest openssh 3.4p1 by default enables privsep, which does the same thing, having only the 'connection receiver' run as root, and upon connection, drops all privs and proceeds to the encryption routines. Presumably the listener code is simple enough to bulletproof, and allows the more complex encryption logic to run in nonpriv mode. > note: bind9.x does more! it even drops all root capabilities except the > ability to bind() and set resource limits. only a kernel bug can allow > the successful intruder (even with uid=0) to regain full root access. Admittedly the rewrite of bind does indeed improve by leaps and bounds the security of the overall product. However i believe a design such as what djbdns adopts is still a better approach to such a project. \8) _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
