Re: stack protection
On Mon, Aug 25, 2003 at 04:14:12PM +1000, Russell Coker wrote:
> On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > > cron,
> >
> > Maybe someone else should do that, I hope at least.
>
> What should be done for the few years that we probably have to wait for such
> programs to be written?
There are some of them: vsftpd, pure-ftpd, udhcp, uschedule ... to note
just some. They are not 100% secure, but they are more secure than
software written by ISC.
[ I don't like to offend Paul Vixie or ISC programmers. They do good
job in the beginnings of the Internet and probably in these days they
didn't anticipate how hostile will become network for collaboration,
sharing ideas and knowledge, extending freedom ... ]
[ BTW, a good measure for security is: don't use ISC software! :-) ]
[...]
> > If attacker can poison DNS cache or fake DHCP server to do something
> > nasty then the problem with SE Linux is just mitigated, not solved.
>
> Mitigating a problem so that it only allows DOS attacks or attacks of limited
> means (such as making a DNS or DHCP server return bogus data) rather than
> having it allow full administrative access is more than a little mitigation!
I don't like to argue, but that is mitigation and not solution. With
SE Linux problem can be mitigated a lot I agree, and I really like we
have it now in Debian (due to Your effort), but this isn't solution.
[ OK, I'm going to think that we never will have secure system because
absolute security is against nature. ]
[...]
> > I'm not against choice, I just don't like idea that that stack
> > protection and similar code could become "mainstream" one day.
>
> Why? I've used OpenWall and PaX and not found any programs that fail to work
> correctly with them.
I'm sure You know how easy to write one. If I and You don't know for
such program, that doesn't mean that there isn't some in the wild.
Reply to: