On Tue, 26 Mar 2002 15:49, Michal Novotny wrote:
It is possible to make virtual web hosting (apache) in chroot jail?
Yes. Just install complete copies of Debian in the chroot jails.
There is a little problem with about 1500 domains/clients.
How can I set it up (with
On Fri, 17 Oct 2003 07:08, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
A read-only /usr is not a security measure.
Depends on your definition og it-security. It reduces downtime, prevents
some admin and software failures and therefore is a security measure.
So is a tape
On Sat, 18 Oct 2003 07:07, Adam ENDRODI wrote:
To stay on topic, I'm for keeping /usr and /usr/local read-only,
because really nothing should update them except for a few
programs under controlled circumstances (that's what makes
the enforcment of this policy cheap). In addition, it might
On Sat, 18 Oct 2003 23:36, Goswin von Brederlow wrote:
Michael Stone [EMAIL PROTECTED] writes:
A quiescent filesystem isn't going to be corrupted in a system crash.
You need to have metadata inconsistencies caused by filesystem activity
before you can get corruption.
Which you get from
On Sun, 19 Oct 2003 03:44, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
Anyway perhaps we should get a new mailing list debian-security-de for
the German meaning of security. Then the rest of us can discuss crypto,
MAC, and other things that match the English meaning of
On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote:
'su -s /bin/bash -c cmd user '
sounds like a very bs argument
Do you understand the term 'breakage' ?
Do you understand the term testing?
How about the idea that changing something in the system may force to you
to rewrite parts of
On Wed, 22 Oct 2003 20:00, Dariush Pietrzak wrote:
Do you understand the term 'breakage' ?
Do you understand the term testing?
Why should I?
Because some of us have already performed extensive tests on this when it was
raised previously.
The idea of giving non-login accounts a shell
On Wed, 22 Oct 2003 21:37, I.R.van Dongen wrote:
If the shells are changed, there are some really big consequences,
but
Such as? Please share your knowledge. :-)
- manually compiled postgresql (user:postgres) expects the user it runs
as to have a valid shell (I'm not sure about the
On Wed, 22 Oct 2003 20:39, Joe Moore wrote:
Russell Coker said:
The idea of giving non-login accounts a shell of /bin/false is hardly
new.
Out of curiosity, what security benefit does a shell of /bin/false grant,
that say, an encrypted password of NOLOGIN (or equivalently *) does
On Thu, 23 Oct 2003 04:02, Joe Moore wrote:
There was a case of a buggy pam some time ago which let people login to
accounts such as man and bin. Changing the shell would have
prevented that problem (or limited the number of accounts that were
vulnerable)
So there was a bug in the PAM
On Sat, 25 Oct 2003 02:40, Joe Moore wrote:
So there was a bug in the PAM code so that it ignored an invalid
/etc/passwd field. Why would the next bug not ignore some other
/etc/passwd field (like the user's chosen shell)?
You are correct, the next time a problem is discovered in PAM
On Sat, 25 Oct 2003 02:46, Joe Moore wrote:
To create a file in /bin you need root access. Therefore to create
/bin/.rhosts you need more access than such a file will grant. There
is no point in such an attack. Why would someone create /bin/.rhosts
when they can create /root/.rhosts?
On Tue, 28 Oct 2003 18:12, Tom Goulet (UID0) wrote:
I'm curious what a malicious user could do with access to the
framebuffer device via the /dev/fb0 device file. Could a malicious
user see anything other than what's on his or her virtual console or X
session?
A malicious user who logs in
On Tue, 25 Nov 2003 19:51, Chema [EMAIL PROTECTED] wrote:
Making /usr read-only is not for that kind of security. It will keep your
data safe from corruption (soft one, anyway: a disk crash will take
anything with it ;-). Besides, you can get a better performance formating
it with ext2,
On Wed, 26 Nov 2003 07:45, Chema [EMAIL PROTECTED] wrote:
RC Why would you get better performance? If you mount noatime then
RC there's no writes to a file system that is accessed in a read-only
RC fashion and there should not be any performance issue.
Hum, ¿are you talking only about ext3?
On Thu, 27 Nov 2003 04:51, Matt Zimmerman [EMAIL PROTECTED] wrote:
Big money does not imply big security. Large corporations with lots of
money to spend on security are compromised all the time. Obviously, they
aren't as forthcoming about it as Debian due to monetary concerns, but even
those
On Wed, 26 Nov 2003 14:24, Bernd Eckenfels
[EMAIL PROTECTED] wrote:
I am talking about any file system. When only reading from a file system
there should not be any performance difference when comparing a RO mount
vs a NOATIME mount. If there is a difference then it's a bug in the file
will be
removed.
If you want to use User-Mode-Linux (UML) with SE Linux then you need to apply
the UML kernel patch, the LSM kernel patch, and an additional patch that can
be found on http://www.coker.com.au/uml/ .
Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
On Sat, 29 Nov 2003 05:10, Martin G.H. Minkler [EMAIL PROTECTED] wrote:
A little OT, but http://www.adamantix.org 's distro provides everything
and more SELinux has to offer while IMHO being a little easier to handle.
Adamantix is not Debian. The people subscribed to this list are here for
On Sat, 29 Nov 2003 11:46, Forrest L Norvell [EMAIL PROTECTED] wrote:
un libselinux-devnone(no description
available) ii libselinux1 1.2-1.1 SELinux
shared libraries un libselinux1-dev none(no
description
On Sun, 30 Nov 2003 14:53, Colin Walters [EMAIL PROTECTED] wrote:
On Sat, 2003-11-29 at 22:47, David Spreen wrote:
of their programs. the system could use a db of installed-package
resources. Therefore we would need to create a common language that
could be translated to any acl-format.
On Sun, 30 Nov 2003 15:32, Colin Walters [EMAIL PROTECTED] wrote:
However, this is not such a bad idea, if you don't try to be too formal
about it. If maintainers shipped English descriptions (say,
README.Security) of what the security implications of their programs
were, it could be very
On Sun, 30 Nov 2003 22:33, Martin Pitt [EMAIL PROTECTED] wrote:
On 2003-11-29 21:08 +1100, Russell Coker wrote:
It's not a question of how difficult it is to get the grsec patch to
apply and work correctly on a Debian kernel. It's a question of whether
anyone is prepared to do
On Mon, 1 Dec 2003 04:27, Andreas Barth [EMAIL PROTECTED] wrote:
Is it possible for me as a package maintainer to specifiy the needed
rights for my programms in a way that as much systems as possible
can use these without the need for a sysadmin to change anything? Or
would each LSM-based
On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote:
On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
It's a pity that the developers of other security systems didn't get
involved, it would be good to have a choice of LIDS, HP's system, DTE,
and others
On Mon, 1 Dec 2003 07:43, Andreas Barth [EMAIL PROTECTED] wrote:
There will be support in RPM for packages that contain SE Linux policy.
For Debian such support will come later (if at all) as the plan is to
centrally manage all policy for free software, and it's not difficult to
apply
On Mon, 1 Dec 2003 07:46, Andreas Barth [EMAIL PROTECTED] wrote:
* Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
On Mon, 1 Dec 2003 05:10, Milan P. Stanic [EMAIL PROTECTED] wrote:
On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
It's a pity that the developers of other
On Tue, 2 Dec 2003 08:48, Andreas Barth [EMAIL PROTECTED] wrote:
* Russell Coker ([EMAIL PROTECTED]) [031201 05:10]:
On Mon, 1 Dec 2003 07:43, Andreas Barth [EMAIL PROTECTED] wrote:
What about the gettys? I'm asking this because I wrote the initial
mail because of mgetty, a package where
On Tue, 2 Dec 2003 18:32, Peter Palfrader [EMAIL PROTECTED] wrote:
There is currently no uucp policy (it seems that no SE Linux users are
using it).
I have one, but it does only allow what I need for uucp, which is
certainly just a small subset of possible uucp uses.
I've attached a
On Wed, 3 Dec 2003 00:56, Peter Palfrader [EMAIL PROTECTED] wrote:
I've attached a modified version, please check it out. I've changed some
of the things to do it in the recommended manner (eg the
system_crond_entry() macro), and removed some things.
The part for running ssh looked
On Mon, 8 Dec 2003 19:16, Domonkos Czinke [EMAIL PROTECTED]
wrote:
I recommend using the chattr program. You should set them immutable
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr.
In a stock Linux kernel the permissions required to chattr -i a file are
exactly the
On Fri, 19 Dec 2003 08:02, martin f krafft [EMAIL PROTECTED] wrote:
I would be very interested, Russel, to hear your opinion about the
claim that the LSM hooks are dangerous in terms of root kit
exploits. Do you agree? If not, then please tell us what LSM
precautions take care to prevent that.
On Fri, 19 Dec 2003 20:18, Henrique de Moraes Holschuh [EMAIL PROTECTED] wrote:
On Fri, 19 Dec 2003, Russell Coker wrote:
In terms of LSM protection against this, if you use SE Linux then all
aspects of file access and module loading are controlled by the policy.
I am going to write
On Mon, 22 Dec 2003 19:45, Marcel Weber [EMAIL PROTECTED] wrote:
s. keeling wrote:
gpg: Signature made Sun Dec 21 17:14:28 2003 MST using DSA key ID
946886AE gpg: Good signature from Trey Sizemore [EMAIL PROTECTED]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:
On Mon, 22 Dec 2003 20:02, Marcel Weber [EMAIL PROTECTED] wrote:
Russell Coker wrote:
Signing a key you don't know is not a good idea, it's easy to
accidentally upload a key...
There is a gpg option lsign which can be used for this, it's like a
regular signature but it can never
This discussion has some minor relevance to debian-isp, but nothing to do with
debian-security. Let's move the discussion to debian-isp.
On Wed, 24 Dec 2003 00:25, Dale Amon [EMAIL PROTECTED] wrote:
I've been noticing loads of mails like this lately:
emery atrocious larval drippy elate
On Sun, 4 Jan 2004 07:53, martin f krafft [EMAIL PROTECTED] wrote:
also sprach Russell Coker [EMAIL PROTECTED] [2003.12.19.0229 +0100]:
In terms of LSM protection against this, if you use SE Linux then
all aspects of file access and module loading are controlled by
the policy. I am going
On Wed, 21 Jan 2004 11:28, Markus Schabel [EMAIL PROTECTED] wrote:
hello folks!
can you tell me what the following means in an apache error.log and
where it comes from? I've searched through all other apache log files
but didn't find something that could generate this.
(sure, the server got
On Sun, 25 Jan 2004 20:49, Raffaele D'Elia [EMAIL PROTECTED]
wrote:
checks for new mail in a maibox via pop3;
If you use IMAP it should be possible for you to ask the server to notify you
when new mail is received. This should give you a faster response if the
server correctly implements
On Sun, 15 Feb 2004 05:31, Wade Richards [EMAIL PROTECTED] wrote:
Every once in a while I get a bunch of errors because some process tried
to access my CDROM, triggering automount when there's no disk in the
drive.
SE Linux can audit all interesting actions, exec, read, write, create,
On Wed, 18 Feb 2004 23:30, Kristopher Matthews [EMAIL PROTECTED] wrote:
This is a security nightmare. I would *not* recommend doing any such
thing in a user filesystem.
You're making the assumption that he LIKES his users. :)
It's not a matter of whether the admin likes his users, it's
On Wed, 18 Feb 2004 23:59, Javier Fernández-Sanguino Peña [EMAIL PROTECTED]
wrote:
On Wed, Feb 18, 2004 at 11:05:30AM +0100, Richard Atterer wrote:
Waah, SCARY!
Users can create hard links to arbitrary files in that directory, e.g.
links to other users' private files or to
On Thu, 19 Feb 2004 00:23, Javier Fernández-Sanguino Peña [EMAIL PROTECTED]
wrote:
On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote:
If you are going to change such things then you need to use the -uid or
-gid options to find (depending on whether you are changing the UID
On Thu, 19 Feb 2004 09:12, Michael Stone [EMAIL PROTECTED] wrote:
On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote:
The other way of doing it properly is to write a program that open's each
file, calls fstat() to check the UID/GID, then uses fchown() or fchmod().
It would
On Wed, 10 Mar 2004 08:58, Milan P. Stanic [EMAIL PROTECTED] wrote:
[ Sorry, I'm not sure if this list is right place to ask this, but
I can't remember better one ]
The NSA mailing list is another option, but this one is OK.
I'm trying to backport SELinux tools and libraries from unstable
On Wed, 10 Mar 2004 21:26, Milan P. Stanic [EMAIL PROTECTED] wrote:
There have been some changes to the way libxattr works. From memory I
think that you needed an extra -l option on the link command line when
compiling with old libc6. I can't remember whether it was linking the
PAM
On Thu, 11 Mar 2004 08:22, Milan P. Stanic [EMAIL PROTECTED] wrote:
On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote:
That is. I just rebuilt policycoreutils and pam with libselinux1
which is linked with libattr and it was smooth.
Now I have to backport coreutils and
On Thu, 11 Mar 2004 20:40, Milan P. Stanic [EMAIL PROTECTED] wrote:
On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote:
If someone needs them I can put it on the net or post somewhere, or
maybe help if the help is needed.
If you could establish an apt repository
On Thu, 11 Mar 2004 22:14, Milan P. Stanic [EMAIL PROTECTED] wrote:
On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
If you copy all files related to a package intact then you don't have to
make such changes.
If you make any changes at all (even re-compiling with a different
On Fri, 12 Mar 2004 06:25, Norbert Tretkowski [EMAIL PROTECTED] wrote:
* Milan P. Stanic wrote:
Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
instead of libselinux1_1.6-0.1_i386.deb?
Well, if 1.6-0.1 will be in our next stable release, your backport
will not be
On Sat, 20 Mar 2004 05:14, Phillip Hofmeister [EMAIL PROTECTED] wrote:
On another note, The GRSecurity/SELinux patches mitigate a lot of kernel
vulnerabilities and userland vulnerabilities. If you are running your
own kernel you may wish to look at them.
Nothing protects you against kernel
On Tue, 23 Mar 2004 08:19, Florian Weimer [EMAIL PROTECTED] wrote:
No, it's another example for a package which heavily deviates from
upstream (AFAIK, upstream is defunct) and is now developed by the
GNU/Linux distributions (and each variant has a slightly different
features). Despite this,
On Wed, 24 Mar 2004 22:22, Michael Stone [EMAIL PROTECTED] wrote:
The best you could do would be to attach different certificates to
different ports, but that would be extremely cumbersome and probably
would lead to confusion.
What if you had http://www.company1.com/ redirect to
On Thu, 1 Apr 2004 17:59, [EMAIL PROTECTED] (Michael Becker) wrote:
If you just want a kernel, with almost everything in there belonging
to security, have a look at WOLK (Working OverLoaded Kernel)
at http://sourceforge.net/projects/wolk
It appears that WOLK is not in Debian. I would guess
On Sat, 10 Apr 2004 04:22, [EMAIL PROTECTED] wrote:
Is there anything ordinary that can cause passwords to be changed? I tried
to log in last night and sshd wouldn't accept either my user's password or
my root password. When I got physical access this morning, I couldn't log
into the console
On Mon, 12 Apr 2004 10:00, Joe Bouchard [EMAIL PROTECTED] wrote:
In a meeting at work (I'm part of the IT group at a large corporation)
someone mentioned a particular kind of network hardware which would stop
working correctly after a while.
Here are some ways that network issues can slow down
On Thu, 15 Apr 2004 02:01, Jeff Coppock [EMAIL PROTECTED] wrote:
I'm having trouble with getting entries here to work. I have the
following /var/log/auth.log messages that I want to filter out of
logcheck (version 1.2.16, sarge):
CRON[15302]: (pam_unix) session opened for user root by
On Tue, 20 Apr 2004 07:50, Jan Minar [EMAIL PROTECTED] wrote:
It seems like they should be 660, not 600, as I suggested (wall(1) and
talkd(1) would break otherwise, probably).
What prevents wall from sending those escape sequences?
--
http://www.coker.com.au/selinux/ My NSA Security
On Sat, 5 Jun 2004 08:52, Michael Stone [EMAIL PROTECTED] wrote:
So, adding handling for SPF RRs in one's MTA yields significant
advantages today, despite the technology being new, because _all_ of the
forgemail claiming to be from aol.com, msn.com, hotmail.com, pobox.com,
etc. can be detected
On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote:
We are allowing all emails from whitelits.
Who is we in this context? Individual users or mailing list administrators?
For unknown sender, automated confirmation request is send. If
For mailing lists this can be achieved by
On Fri, 11 Jun 2004 06:03, Alain Tesio [EMAIL PROTECTED] wrote:
On Thu, 10 Jun 2004 18:58:33 +1000
Russell Coker [EMAIL PROTECTED] wrote:
For mailing lists this can be achieved by making the list
subscriber-only. For individual accounts such behaviour is very
anti-social as it results
On Fri, 11 Jun 2004 19:29, Dale Amon [EMAIL PROTECTED] wrote:
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
It is anti-social for every idiot on the net to think that they are
important enough to require a subscription from everyone who wants to
send them email.
Like
On Fri, 11 Jun 2004 21:38, Dale Amon [EMAIL PROTECTED] wrote:
That said, those who can afford it will hire human
operators to act as email gatekeepers; those who can't
will use whatever a salesman can convince them is
affordable and works. Whether we like it or not will
not figure into the
On Fri, 11 Jun 2004 22:34, Patrick Maheral [EMAIL PROTECTED] wrote:
It seems that most people here don't like CR systems, and I'd have to
agree with that consensus.
I'm just wondering what is the general feeling about using hashcash and
other header signatures systems.
Currently you can't
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote:
In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has
been seen typing:
Besides, with an army of Windows Zombies you could generate those
signatures anyway...
Why bother, when said windows machines
On Sat, 12 Jun 2004 04:22, s. keeling [EMAIL PROTECTED] wrote:
Incoming from Rick Moen:
Quoting Russell Coker ([EMAIL PROTECTED]):
Some of the anti-spam people are very enthusiastic about their work. I
wouldn't be surprised if someone writes a bot to deal with CR systems.
A bot
On Mon, 14 Jun 2004 16:39, Adrian 'Dagurashibanipal' von Bidder
[EMAIL PROTECTED] wrote:
Also you may want to look at the rfc-ignorant.org ones, but reading
nanae I got the impression that they are more trouble than they're
worth.
This thread inspired me to fiddle with my anti-spam settings
On Tue, 15 Jun 2004 04:56, andrew lattis [EMAIL PROTECTED] wrote:
currently i've got an ever growing password list in a plain text file
stored on an encrypted loopback fs, this is getting cumbersome...
figaro's password manager (package fpm) looks nice and uses blowfish to
encrypt data but i
On Tue, 15 Jun 2004 17:24, Rudy Gevaert [EMAIL PROTECTED] wrote:
Would it be possible to run that program trough e.g. perl/php/... ?
A use could ftp the executable and write a php script that execute it.
Does PHP allow executing arbitary binaries?
If the user can install CGI-BIN scripts then
On Tue, 15 Jun 2004 18:46, Alberto Gonzalez Iniesta [EMAIL PROTECTED] wrote:
Some of the applications I run use kwallet, that seems similar to what
Russell Cooker described for OS X.
No. kwallet can be ptraced, this allows a hostile program to get access to
all it's data with ease.
Of course
On Sat, 3 Jul 2004 10:28, LOGAN Jim [EMAIL PROTECTED] wrote:
WHO R U FUCKIN' BASTARD ?
I HATE THE BLOODY MOTHER FUCKERS LIKE U !
I DON' T LIKE YOUR DAMN' VIRUS , SON OF A BITCH ! ...I' LL GET
YOUR BLOODY SKIN ! WOLVERINE
Does your mother know you talk like that?
The
On Mon, 26 Jul 2004 02:57, John Richard Moser [EMAIL PROTECTED] wrote:
I'm interested in discussing the viability of PaX on Debian. I'd like
to discuss the changes to the base system that would be made, the costs
in terms of overhead and compatibility, the gains in terms of security,
and the
On Mon, 26 Jul 2004 13:48, John Richard Moser [EMAIL PROTECTED] wrote:
| Before we can even start thinking about PaX on Debian we need to find a
| maintainer for the kernel patch who will package new versions of the
| patch which apply to the Debian kernel source tree. We have had a few
Are
The start scripts for some daemons do su - user or use
start-stop-daemon -c to launch the daemon, postgresql is one example.
During the time between the daemon launch and it closing it's file handles and
calling setsid(2) (which some daemons don't do because they are buggy) any
other code
On Mon, 26 Jul 2004 22:43, Milan P. Stanic [EMAIL PROTECTED] wrote:
If so when will the patch be submitted to Linus?
Who knows? These days patches doesn't get accepted so easy :-(
The SE Linux patches get accepted easily enough. Most of the 2.6.x kernels
have had SE Linux changes in them.
On Mon, 26 Jul 2004 22:54, [EMAIL PROTECTED] wrote:
I have a machine that has been the unfortunate victime of SuckIT
r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks X
and some gdb functions, but does
On Mon, 26 Jul 2004 23:38, [EMAIL PROTECTED] wrote:
I have a machine that has been the unfortunate victime of SuckIT
r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks
X and some gdb functions,
On Tue, 27 Jul 2004 00:23, Michael Stone [EMAIL PROTECTED] wrote:
On Mon, Jul 26, 2004 at 11:38:33PM +1000, [EMAIL PROTECTED] wrote:
/dev/kmem unusable. That, he says, will break lilo (I can't use GRUB as
it doesn't support booting off RAID devices properly)
Hmm. Seems to work here.
It seems
On Tue, 27 Jul 2004 07:48, Andrew Pimlott [EMAIL PROTECTED] wrote:
During the time between the daemon launch and it closing it's file
handles and calling setsid(2) (which some daemons don't do because they
are buggy) any other code running in the same UID could take over the
process via
On Mon, 23 Aug 2004 09:34, Geoff [EMAIL PROTECTED] wrote:
There is an elaborate system to maintain quality in new Debian
developers (which seems like a good idea to me). Why not have some sort
of system for ensuring the quality in continuing DD?
If a DD didn't meet the criteria they would go
On Mon, 23 Aug 2004 13:07, Thomas Bushnell BSG [EMAIL PROTECTED] wrote:
Russell Coker [EMAIL PROTECTED] writes:
Removing developers who don't meet certain criteria (EG no package
uploads for 6 months) from active status makes a lot of sense.
Anyone care to propose a GR?
Careful about
On Mon, 23 Aug 2004 14:46, Bron Gondwana [EMAIL PROTECTED] wrote:
Removing developers who don't meet certain criteria (EG no package
uploads for 6 months) from active status makes a lot of sense. Anyone
care to propose a GR?
This doesn't work. The problem is basically:
a) what about a
On Mon, 23 Aug 2004 13:30, Thomas Bushnell BSG [EMAIL PROTECTED] wrote:
Russell Coker [EMAIL PROTECTED] writes:
Removing from active status seems appropriate to me.
But that's a totally different subject. If you want to remove Debian
developers from the list of developers, because
On Mon, 20 Sep 2004 06:15, martin f krafft [EMAIL PROTECTED] wrote:
I want to add another point to this discussion. While we cannot
prevent malicious maintainers from installing to the archives or
poisoning the buildds, requiring all binaries to be remade on the
buildds would rule out the
On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED]
wrote:
- openssh (i'm working on the patches that bring SecurID Token use
features, and others from independent hackers)
Most of the features you list are things that are difficult to get into
Debian/main. But token
On Mon, 27 Sep 2004 00:39, Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED]
wrote:
Most of the features you list are things that are difficult to get into
Debian/main.
Not too really difficult, it depends on how it gets developed:
On Mon, 18 Oct 2004 07:08, Rick Moen [EMAIL PROTECTED] wrote:
Quoting Jason Lunz ([EMAIL PROTECTED]):
The entire neighbor cache was completely rewritten recently, and I
believe it was prompted by exactly this sort of situation.
Just wanted to mention: That neigbour table overflow error can
On Sun, 24 Oct 2004 19:24, Jan Lhr [EMAIL PROTECTED] wrote:
Yes, and that is one of the core points in my suggestion that you look
at SELinux or a similar mandatory access control based security module.
SELinux is overkill in some ways. A system adminstrator, not being able to
handle ACLs
On Monday 24 January 2005 19:10, Markus Schabel [EMAIL PROTECTED]
wrote:
I've setup a server with selinux enabled, using the packages from Russel
Coker (http://www.coker.com.au/selinux/) but they are a bit outdated, at
least there are more current packages in debian/testing available
On Monday 07 February 2005 14:43, Alvin Oga [EMAIL PROTECTED]
wrote:
No, you make an image, reinstall, and if you have time (ie. you normally
dont) then you can start the forensics.
yes about making an image ... i assume you mean
- take the box down,
- i hate taking the box down, as
On Wednesday 27 April 2005 21:16, Marcell Metzner [EMAIL PROTECTED]
wrote:
I have seen this using SE Linux or RSBAC.
This 2 are the best I have seen till now.
One limitation of SE Linux in this regard is due to the design of the LSM
interface.
The LSM interface does not get called until
On Sun, 30 Dec 2001 11:18, Petre Daniel wrote:
Well,i know Karsten's on my back and all,but i have not much time to
learn,and too many things to do at my firm,so i am asking if one of you has
any idea how can bind be protected against that DoS attack and if someone
has some good firewall for a
On Tue, 26 Mar 2002 15:49, Michal Novotny wrote:
It is possible to make virtual web hosting (apache) in chroot jail?
Yes. Just install complete copies of Debian in the chroot jails.
There is a little problem with about 1500 domains/clients.
How can I set it up (with
On Fri, 17 Oct 2003 07:08, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
A read-only /usr is not a security measure.
Depends on your definition og it-security. It reduces downtime, prevents
some admin and software failures and therefore is a security measure.
So is a tape
On Sat, 18 Oct 2003 07:07, Adam ENDRODI wrote:
To stay on topic, I'm for keeping /usr and /usr/local read-only,
because really nothing should update them except for a few
programs under controlled circumstances (that's what makes
the enforcment of this policy cheap). In addition, it might
On Sat, 18 Oct 2003 23:36, Goswin von Brederlow wrote:
Michael Stone [EMAIL PROTECTED] writes:
A quiescent filesystem isn't going to be corrupted in a system crash.
You need to have metadata inconsistencies caused by filesystem activity
before you can get corruption.
Which you get from
On Sun, 19 Oct 2003 03:44, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
Anyway perhaps we should get a new mailing list debian-security-de for
the German meaning of security. Then the rest of us can discuss crypto,
MAC, and other things that match the English meaning of
On Wed, 22 Oct 2003 18:50, Tobias Reckhard wrote:
also su user -c command won't work, you'll need to use sudo or suid bit,
and that's a bit messy.
This is true, when I need to su to this user's account (for
troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first
(and change
On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote:
'su -s /bin/bash -c cmd user '
sounds like a very bs argument
Do you understand the term 'breakage' ?
Do you understand the term testing?
How about the idea that changing something in the system may force to you
to rewrite parts of
On Wed, 22 Oct 2003 20:00, Dariush Pietrzak wrote:
Do you understand the term 'breakage' ?
Do you understand the term testing?
Why should I?
Because some of us have already performed extensive tests on this when it was
raised previously.
The idea of giving non-login accounts a shell
1 - 100 of 204 matches
Mail list logo