Re: Security in general (was Re: Proposal "LUID")

From: Linda Walsh (law@sgi.com)
Date: Tue Apr 18 2000 - 10:15:17 EST


"Michael H. Warfield" wrote:
> I use to think that making the stack non-executable would at
> least make it tougher. The existance of such a simple payload requiring
> no assembly language work at all, points out just what a lie that idea is.
> Sad to say but non-executable stacks are no help at all.

---
	That's where real-time audit monitoring and response come in.  
The log monitor sees UID=root, LUID=daemon, 'exec'ing any programs not
on an 'allowed' list and it can shut down the port/process immediately  --
The list of programs spawned by a system daemon and UID=root is or can be a
 fairly small list.  Programs like inetd shouldn't be writing to any file
directly AFAIK.  Suppose you hack in through sendmail (assuming you still
run it as root) -- you can be alarmed about any files written outside
of /var/mail or a user's directory.  I still think all of these things
provide increasing layers of difficulty.

-- Linda A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:13 EST