Re: another volunteer
On Wed, May 09, 2001 at 03:50:38PM +0100, Alan Cox wrote:
> > unfortunately I have subscribed this list only today.
> > Please, do not hesitate to let me know how can I contribute
> > (eg. what about the establishment of a GNU/Linux Security SIG -
> > task #27482 ?).
> >
>
> Umm interesting I hadnt noticed that task. How is that different from
> security-audit and/or vendor-sec ?
In my opinion, the GNU/Linux Security SIG should address only
the security issues ingrained in either the system interface
or the environment described in LSB specifications.
I should be out of the scope of this SIG to describe how:
the developers of GNU/Linux distributions must implement commands
and utilities in a "secure" and robust way (code auditing and
developing are inevitably vendors tasks).
However, since I have not searched yet the list archive for related
threads, I am simingly missing some goals for this SIG.
Here it is a partial list of issues that may or may not be addressed
by the Security SIG. It would be nice add to it other issues and
group its items in a "must be addressed" and "must not be addressed"
lists.
In no particular order:
Item |Relevant Spec. Sections| Comments
-----------------------------------|-----------------------|----------
libc functions prone to security | 10.1 |
problems | |
-----------------------------------|-----------------------|----------
cryptographic hash functions | chapter 13 |
supported for packages verification| |
-----------------------------------|-----------------------|----------
security issues in dynamic linking | chapter 7 |
-----------------------------------|-----------------------|----------
/dev/{u,}random behavior and how | | more
seeds are handled at system | |generally:
initialization | | PRNG
-----------------------------------|-----------------------|----------
security and environment variables | |
(eg. IFS, PATH, TMPDIR, etc...) | |
-----------------------------------|-----------------------|----------
Posix.1e (POSIX.6) | |
-----------------------------------|-----------------------|----------
PAM or more generally | |
authentication mechanisms | |
-----------------------------------|-----------------------|----------
users & groups | Chapter 16 | alreay
| | present
| |----------
| | DAC?
-----------------------------------|-----------------------|----------
ownerships and permissions | 17.2 | already
| | present
-----------------------------------|-----------------------|----------
Internation Kernel Patch and its | |
support | |
-----------------------------------|-----------------------|----------
Thanks,
alfonso
Reply to: