Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 2 Sep 2002 18:37:43 +0200
From: Radoslaw Stachowiak <radek@...er.pl>
To: owl-users@...ts.openwall.com
Subject: Re: [sOT] General security/permissions issues (long)

*** Michael Tokarev <mjt@....msk.ru> [Monday, 26.August.2002, 22:08 +0400]:
> There is another directory, bases/, where all av bases
> (*.vdb files for drwebd - virus signatures) are keept.
> This directory should be readable by drwebd - obviously -
> so that daemon can read it's data.  But it should NOT
> be *writable* by daemon: if by any chance an attacker
> will have control over drweb daemon (a complex piece
> of software, closed source, yadda-yadda), he should NOT
> be able to mess with those.  For now, directory bases/
> and all files within is owned by root:root.

Just my 0.02$

looks for me that a mistake in assumption made above has 'created' this
rather complicated problem while in fact it does not exist :)  

Why?

Because those files (bases/) are for drwebd. Assuming that someone has
control over drwebd means that he can do whatever he wants. read: can
disable AV checks regardless bases/ files are good or wrong. in other
words: after drwebd compromise, bases/ files have lost their value, so
protecing them has no sense.

So this all solutions do not prevent attacker from his objectives (after
succesful drwebd compromise).

This is based on my assumption (maybe wrong?) that bases/ files are
only used for drwebd.

Anyway (maybe i'm wrong with sth else), solution with two separate
connections is what i like.

-- 
radoslaw.stachowiak.........................................http://alter.pl/

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.