dave b <[email protected]> writes:
> On 29 July 2010 14:40, Daniel Pittman <[email protected]> wrote:
>> dave b <[email protected]> writes:
>>> On 28 July 2010 12:23, Matthew Hannigan <[email protected]> wrote:
>>>> On Tue, Jul 27, 2010 at 04:04:05PM +1000, Ben Donohue wrote:
>>>> [ .... ]
>>>>> How about a DNS, squid and web server with multiple name based
>>>>> virtual domains on the same box?
>>>>>
>>>>> Is doing the above really dangerous on a fully patched and up to
>>>>> date system?
>>>>lso depends on the webapp.
>>>> I'd be more comfortable with java (especially with security
>>>> manager on) which is after all another form of vm.
>>> Java is like php, there are also language flaws coming out to bite you real
>>> soon. /me mutters something about OH MY THEY ESCAPED FROM THE JVM.
>>
>> Do you have a reference for that?
>
> Here is a recent example :)
> http://blog.cr0.org/2009/05/write-once-own-everyone.html
> You can finder older examples as well :)
Thanks. That saves me searching around to try and find the same information
myself. :)
>> ...but why? What actual security value does that add, compared to the
>> vanilla
>> kernels which do, oh, everything listed in their bullet point feature list,
>> and out of the box covers over eighty percent of them?
>
> Good :) - but not chroot break out prevention, further aslr improvements etc.
Mmmm. Most of the non-merged features are the ones that are fairly heavily
disputed WRT security value, though, are they not?
Anyhow, actually telling people why you recommended this was my core point,
not to argue about the actual value of the individual items, so if you don't
feel super-enthused about responding neither do I. :)
>> Pro tip: asserting that an RBAC system will increase security is silly
>> without
>> actually understanding how it will be used; people can do things just as
>> badly
>> with RBAC as without.
>
> Sure, but grsecurity also has some other features :)
That was a subset list of the issues, but a fair response to what I wrote. ;)
Daniel
--
✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
