Re: Whom the BIND newest vulnerability....
On Fri, 12 Nov 1999, Cherubini Enrico wrote:
>Ciao,
> Fri, Nov 12, 1999 at 02:10:25PM +0100, Russell Coker wrote:
>
>> Can the people who make the policy please consider putting in place a policy
>> regarding packages which often have security problems. If such a package can
>> be run as non-root then IMHO the default proceedure suggested by policy
>> should be to run in that fashion.
>> While we are at it, for most usage sendmail can run as non-root. Could we
>> have it default to non-root too?
>I suggested many months ago that it would be nice to have critical packages
>compiled both as standard compiler and one stackguarded. Bind is one of
>them, IMHO. It would be not a big work for maintainer, just to change PATH
>to allow execution of the first or the second compiler, but a big
>enhancement in both security and debian's image...don't tell me about loss
>in performance...someone who break in the system as root is surely worst
>than a small amount of CPU.
I believe that stackguard has the potantial to change the operation of the
program and potentially introduce bugs. Running it as non-root involves
using the same binaries, no loss of performance, and no change in operation.
Stackguard would be good for an FTP server (can't be run as non-root for
obvious reasons).
--
Electronic information tampers with your soul.
Reply to: