RE: Secure 2.4.x kernel

To: Gary MacDougall <gary@freeportweb.com>
Cc: Kelly Martin <kellym@fb00.fb.org>, "'Robert Clay'" <JClay@techteam.com>, debian-security@lists.debian.org
Subject: RE: Secure 2.4.x kernel
From: Steven James <pyro@linuxlabs.com>
Date: Fri, 21 Dec 2001 14:21:14 -0500 (EST)
Message-id: <[🔎] 1008962474.3c238baa58736@zax.linuxlabs.com>
In-reply-to: <[🔎] ADECINAPILIIOCDLADFDIEPJCLAA.gary@freeportweb.com>
References: <[🔎] ADECINAPILIIOCDLADFDIEPJCLAA.gary@freeportweb.com>

Greetings,

I have experimented with creating an EXEC capability that is turned on by default (as a quick hack). I didn't consider fork at the time since most breeches involve execing a shell (or some other binary).

G'day,
sjames


Quoting Gary MacDougall <gary@freeportweb.com>:

> Interesting.
> 
> Has someone done some work on this?
> I'm mean, lets face it, your running a bunch of
> servers and they have boat loads of daemon's.  Why
> they'll need to fork/exec a shell is really a good
> question -- in my mind, they don't.  I could be wrong.
> 
> Why not simply build this ability into the kernel?
> Could be an option at menuconfig time...
> 
> Gary
> 
> -----Original Message-----
> From: Kelly Martin [mailto:kellym@fb00.fb.org]
> Sent: Friday, December 21, 2001 12:24 PM
> To: 'Robert Clay'; debian-security@lists.debian.org
> Subject: RE: Secure 2.4.x kernel
> 
> 
> As far as I know, Linux does not support doing that.  So the way you do
> it
> is modify your kernel to make fork and exec revokable syscalls, write a
> syscall allowing a process to request revocation of unneeded syscalls,
> and
> add that call to your daemon.
> 
> Kelly
> 
> > -----Original Message-----
> > From:	Robert Clay [SMTP:JClay@techteam.com]
> > Sent:	Friday, December 21, 2001 11:17 AM
> > To:	debian-security@lists.debian.org
> > Subject:	RE: Secure 2.4.x kernel
> >
> > And how would one do that?
> >
> > >>> Kelly Martin <kellym@fb00.fb.org> 12/21/01 12:09PM >>>
> > ...Taking away the fork and exec syscalls from a daemon which does
> not
> > need to do either would be a good start.
> >
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 



----------------------------steven james, director of research, linux labs
LinuxBIOS Cluster Solutions                   230 peachtree st nw ste 2705
High-Speed Colocation, Hosting,                        atlanta.ga.us 30303
Linux Hardware, Development & Support             http://www.linuxlabs.com
* Visit us at SuperComputing 2001, Booth 539 *   office/fax 404.577.7747/3
--------------------------------------------------------------------------

Reply to:

References:
- RE: Secure 2.4.x kernel
  - From: "Gary MacDougall" <gary@freeportweb.com>

Prev by Date: RE: Secure 2.4.x kernel
Next by Date: Re: Secure 2.4.x kernel
Previous by thread: RE: Secure 2.4.x kernel
Next by thread: Re: Secure 2.4.x kernel
Index(es):
- Date
- Thread