On Tue, 26 Aug 2003 00:26, Milan P. Stanic wrote:
> [ OK, I'm going to think that we never will have secure system because
> absolute security is against nature. ]
True, so let's just get what we can.
> > Why? I've used OpenWall and PaX and not found any programs that fail to
> > work correctly
On Mon, 25 Aug 2003, Milan P. Stanic wrote:
> So, I think I'm not slandering them or at least that isn't my
> intention. I apologize if I did.
Slander wasn't the correct word. It's just not a good idea to malign a
whole set of coders and programs without solid reasoning behind it.
>> As far as I
On Mon, Aug 25, 2003 at 10:56:38AM -0700, Don Armstrong wrote:
> I'm personally only really familiar with ISC's dhcpd3-server, but have
> you even read the code written by Ted Lemon? Just randomly slandering
> programmers when you are not intimately familiar with their code isn't
> something that s
On Mon, 25 Aug 2003, Milan P. Stanic wrote:
> There are some of them: vsftpd, pure-ftpd, udhcp, uschedule ... to
> note just some. They are not 100% secure, but they are more secure
> than software written by ISC.
I'm personally only really familiar with ISC's dhcpd3-server, but have
you even read
"Milan P. Stanic" <[EMAIL PROTECTED]> writes:
> On Mon, Aug 25, 2003 at 04:14:12PM +1000, Russell Coker wrote:
> > On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > > > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > > > cron,
> > >
> > > Maybe someone else should
* Milan P. Stanic ([EMAIL PROTECTED]) [030825 16:50]:
> On Mon, Aug 25, 2003 at 04:14:12PM +1000, Russell Coker wrote:
> > On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > > > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > > > cron,
> > >
> > > Maybe someone else
On Mon, Aug 25, 2003 at 04:14:12PM +1000, Russell Coker wrote:
> On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > > cron,
> >
> > Maybe someone else should do that, I hope at least.
>
> What should be done for the
On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > cron,
>
> Maybe someone else should do that, I hope at least.
What should be done for the few years that we probably have to wait for such
programs to be written?
>
"Milan P. Stanic" <[EMAIL PROTECTED]> writes:
> On Sun, Aug 24, 2003 at 01:40:28PM +1000, Russell Coker wrote:
> > Why is it a limit? We are not talking about making any of these
> > mandatory for Debian users. We want to give them a choice of all of
> > the above.
>
> I'm not against choice, I j
On Sun, Aug 24, 2003 at 01:40:28PM +1000, Russell Coker wrote:
[...]
> > I agree, but writing secure (not perfectly secure) software may be
> > nearly possible.
> > I don't like to start flame war, but must mention djbdns and qmail.
>
> Yes, however they have less functionality than the alternativ
On Sun, 24 Aug 2003 08:22, Milan P. Stanic wrote:
> > When you login to do administrative work by default you will have the
> > context root:sysadm_r:sysadm_t as the Identity:Role:Domain. This will
> > deny you access to block devices, when you run mount or mkfs they run in
> > different domains w
On Sun, Aug 24, 2003 at 01:19:38AM +1000, Russell Coker wrote:
> On Sat, 23 Aug 2003 19:36, Milan P. Stanic wrote:
> > > Allowing the system administrator to write to /dev/mem as part of
> > > debugging the kernel is a feature.
> >
> > UID 0 must have rights to do everything. root can "format" file
On Sat, 23 Aug 2003 19:36, Milan P. Stanic wrote:
> > Allowing the system administrator to write to /dev/mem as part of
> > debugging the kernel is a feature.
>
> UID 0 must have rights to do everything. root can "format" filesystem,
> by mistake or by intention.
UID does not have to be the only m
* Milan P. Stanic ([EMAIL PROTECTED]) [030823 11:50]:
> On Sat, Aug 23, 2003 at 03:13:25PM +1000, Russell Coker wrote:
> > Allowing the system administrator to write to /dev/mem as part of debugging
> > the kernel is a feature.
> UID 0 must have rights to do everything. root can "format" filesyst
Brian May <[EMAIL PROTECTED]> writes:
> On Fri, Aug 22, 2003 at 10:05:13PM +0200, Goswin von Brederlow wrote:
> > Depending on the size of udev it might be on the initrd or not.
> > If its not then you need a lot of /dev entries to mount the real root
> > device and get udev started or a extra scr
On Sat, Aug 23, 2003 at 11:36:04AM +0200, Milan P. Stanic wrote:
| > Allowing the dhcp server to write to /dev/mem because it's UID 0 and Unix
| > security sucks is a bug.
|
| The problem isn't with UID 0, but with bugs in software.
No. The problem is an insecure design that forces the DHCP se
On Sat, Aug 23, 2003 at 03:13:25PM +1000, Russell Coker wrote:
> On Sat, 23 Aug 2003 07:02, Milan P. Stanic wrote:
> > On Thu, Aug 21, 2003 at 09:39:53AM +0200, Xavier Roche wrote:
> > > Note that some options are sometimes incompatible with some packages:
> > > restrictions on kmem ('Deny writing
On Sat, 23 Aug 2003 07:02, Milan P. Stanic wrote:
> On Thu, Aug 21, 2003 at 09:39:53AM +0200, Xavier Roche wrote:
> > Note that some options are sometimes incompatible with some packages:
> > restrictions on kmem ('Deny writing to /dev/kmem, /dev/mem, and
> > /dev/port') prevent lm_sensors from wor
On Fri, Aug 22, 2003 at 10:05:13PM +0200, Goswin von Brederlow wrote:
> Depending on the size of udev it might be on the initrd or not.
> If its not then you need a lot of /dev entries to mount the real root
> device and get udev started or a extra script that created node on the
> fly from /proc/s
On Thu, Aug 21, 2003 at 09:39:53AM +0200, Xavier Roche wrote:
> Note that some options are sometimes incompatible with some packages:
> restrictions on kmem ('Deny writing to /dev/kmem, /dev/mem, and
> /dev/port') prevent lm_sensors from working properly with my server. But
"cat /dev/zero > /dev/m
* Goswin von Brederlow ([EMAIL PROTECTED]) [030822 22:15]:
> Depending on the size of udev it might be on the initrd or not.
> If its not then you need a lot of /dev entries to mount the real root
> device and get udev started or a extra script that created node on the
> fly from /proc/something.
Brian May <[EMAIL PROTECTED]> writes:
> On Fri, Aug 22, 2003 at 11:39:21AM +0200, Goswin von Brederlow wrote:
> > Which means you need about 100 device nodes so you can boot of any
> > of the 65536 disks you could have connected?
>
> Why?
>
> The kernel currently has hardcoded logic to conve
On Fri, Aug 22, 2003 at 11:39:21AM +0200, Goswin von Brederlow wrote:
> Which means you need about 100 device nodes so you can boot of any
> of the 65536 disks you could have connected?
Why?
The kernel currently has hardcoded logic to convert the root=... string
into a major,minor number, it
On Aug 22, Goswin von Brederlow <[EMAIL PROTECTED]> wrote:
>I'm basically just intrested in whats needed in /dev/ to get udev
>started and what userspace tools udev needs on a initrd.
Whatever is already needed to make your system boot.
So far udev will only create nodes for plug and play device
Russell Coker <[EMAIL PROTECTED]> writes:
> On Fri, 22 Aug 2003 11:35, Goswin von Brederlow wrote:
> > > A paper on udev was presented at OLS this year, at the URL below
> > > you can find a copy in PDF format. Basically it is a way of
> > > providing some of the features of devfs but based aroun
On Thu, 21 Aug 2003 22:38, rintek wrote:
> > As for Adamantix people helping out, they haven't even posted to this
> > mailing list yet, so I have no great expectations for them to help in
> > future.
>
> Please have a look at your email
Yes, I lived in the Netherlands for 2 years of the time I sp
On Fri, 22 Aug 2003 11:35, Goswin von Brederlow wrote:
> > A paper on udev was presented at OLS this year, at the URL below you
> > can find a copy in PDF format. Basically it is a way of providing
> > some of the features of devfs but based around using hotplug to
> > create device nodes using mk
On Thu, Aug 21, 2003 at 10:57:17PM +1000, Russell Coker wrote:
> http://archive.linuxsymposium.org/ols2003/Proceedings/
>
> As for why it's better than udev. There have been bugs in devfs in the past
> related to race conditions. Also devfs requires that the kernel knows about
> all the device
On Fri, Aug 22, 2003 at 03:35:04AM +0200, Goswin von Brederlow wrote:
> > A paper on udev was presented at OLS this year, at the URL below you
> > can find a copy in PDF format. Basically it is a way of providing
> > some of the features of devfs but based around using hotplug to
> > create device
Marco d'Itri <[EMAIL PROTECTED]> writes:
> On Aug 21, Xavier Roche <[EMAIL PROTECTED]> wrote:
>
> >- using devfs for /dev (kernel 2.4 and package devfsd installed)
> devfs will probably disappear. It's better to look at udev (which I'm
> packaging).
Could you give a quick overview about how to
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> Op do 21-08-2003, om 09:49 schreef Russell Coker:
> > On Thu, 21 Aug 2003 17:39, Xavier Roche wrote:
> > > Major issues for a ro-/ are maybe:
> > > - using devfs for /dev (kernel 2.4 and package devfsd installed)
> >
> > Devfs is getting less support
Russell Coker <[EMAIL PROTECTED]> writes:
> On Thu, 21 Aug 2003 22:41, Brian May wrote:
> > On Thu, Aug 21, 2003 at 07:16:46PM +0900, Miles Bader wrote:
> > > Russell Coker <[EMAIL PROTECTED]> writes: > Devfs is getting
> > > less support now, it might not be the best time to > start
> > > dependi
rintek wrote:
Russell Coker wrote:
On Thu, 21 Aug 2003 19:13, Stefan Gybas wrote:
However, ProPolice has not been ported to all architectures yet, see
http://www.research.ibm.com/trl/projects/security/ssp/statuschart.html
for details.
Not being ported to all architectures is not a problem IMHO.
Su
On Thu, Aug 21, 2003 at 10:41:16PM +1000, Brian May wrote:
> > Indeed, it's looking likely that GregKH's `udev' will replace devfs
> > sometime in the future.
>
> Dare I ask the obvious question: what is udev? Why is it better then
> devfs?
It's mostly in user-space, lighter-weight, and more conf
On Aug 21, Xavier Roche <[EMAIL PROTECTED]> wrote:
>- using devfs for /dev (kernel 2.4 and package devfsd installed)
devfs will probably disappear. It's better to look at udev (which I'm
packaging).
>- transforming several /etc files as symlinks and moving them to some
>other place (/var/etc ?
On Thu, 21 Aug 2003 22:41, Brian May wrote:
> On Thu, Aug 21, 2003 at 07:16:46PM +0900, Miles Bader wrote:
> > Russell Coker <[EMAIL PROTECTED]> writes:
> > > Devfs is getting less support now, it might not be the best time to
> > > start depending on it.
> >
> > Indeed, it's looking likely that Gr
On Thu, Aug 21, 2003 at 07:16:46PM +0900, Miles Bader wrote:
> Russell Coker <[EMAIL PROTECTED]> writes:
> > Devfs is getting less support now, it might not be the best time to start
> > depending on it.
>
> Indeed, it's looking likely that GregKH's `udev' will replace devfs
> sometime in the fut
Op do 21-08-2003, om 09:49 schreef Russell Coker:
> On Thu, 21 Aug 2003 17:39, Xavier Roche wrote:
> > Major issues for a ro-/ are maybe:
> > - using devfs for /dev (kernel 2.4 and package devfsd installed)
>
> Devfs is getting less support now, it might not be the best time to start
> depending
Russell Coker wrote:
On Thu, 21 Aug 2003 19:13, Stefan Gybas wrote:
However, ProPolice has not been ported to all architectures yet, see
http://www.research.ibm.com/trl/projects/security/ssp/statuschart.html
for details.
Not being ported to all architectures is not a problem IMHO.
Such stack prote
> Who is interested in stack protection?
I am.
>I think it would be good to have some experiments of stack protected packages
>for Debian. Probably the best way to do this would be to start with
>ssh-stack and sysklogd-stack being uploaded to experimental. I don't have
>time to do this, but
On Thu, 21 Aug 2003 19:13, Stefan Gybas wrote:
> However, ProPolice has not been ported to all architectures yet, see
> http://www.research.ibm.com/trl/projects/security/ssp/statuschart.html
> for details.
Not being ported to all architectures is not a problem IMHO.
Such stack protection should n
Hi
On Thu, Aug 21, 2003 at 02:56:34PM +1000, Brian May wrote:
> On Thu, Aug 21, 2003 at 12:57:06PM +1000, Russell Coker wrote:
> > Who is interested in stack protection?
x86 only? Pro police is the most platform independent iirc.
> > I think it would be good to have some experiments of stack prot
Russell Coker <[EMAIL PROTECTED]> writes:
> Devfs is getting less support now, it might not be the best time to start
> depending on it.
Indeed, it's looking likely that GregKH's `udev' will replace devfs
sometime in the future.
[It was amusing to see Christoph Hellwig's recent patch on the lkml
Xavier Roche <[EMAIL PROTECTED]> writes:
> On Thu, 21 Aug 2003, Russell Coker wrote:
> Major issues for a ro-/ are maybe:
> - using devfs for /dev (kernel 2.4 and package devfsd installed)
Alternatively you can copy /dev to a ramdisk.
And please don't use devfsd. That somewhat cancles out half of
Russell Coker wrote:
It sounds like we need a propolice enabled GCC.
I have talked to Matthias Klose, one of the GCC maintainers, about this.
He included the patch so he could built ProPolice-enables packages of
gcc and g++ but he's currently too busy with other things. He might
accept a patch t
On Thu, 21 Aug 2003 17:39, Xavier Roche wrote:
> Major issues for a ro-/ are maybe:
> - using devfs for /dev (kernel 2.4 and package devfsd installed)
Devfs is getting less support now, it might not be the best time to start
depending on it.
--
http://www.coker.com.au/selinux/ My NSA Security
On Thu, 21 Aug 2003, Russell Coker wrote:
> Who is interested in stack protection?
> I think it would be good to have some experiments of stack protected packages
> for Debian.
> Also is there any interest in uploading a kernel-image package with the grsec
> PaX support built in?
grsec is IMHO
On Thu, 21 Aug 2003 14:56, Brian May wrote:
> On Thu, Aug 21, 2003 at 12:57:06PM +1000, Russell Coker wrote:
> > Who is interested in stack protection?
> >
> > I think it would be good to have some experiments of stack protected
> > packages for Debian. Probably the best way to do this would be to
On Thu, Aug 21, 2003 at 12:57:06PM +1000, Russell Coker wrote:
> Who is interested in stack protection?
>
> I think it would be good to have some experiments of stack protected packages
> for Debian. Probably the best way to do this would be to start with
> ssh-stack and sysklogd-stack being up
49 matches
Mail list logo
