Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Nov 2004 05:26:57 +0300
From: Michael Tokarev <mjt@....msk.ru>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf

Solar Designer wrote:
[]
> Yes, thanks.  For traceroute, however, the solution is simpler.  We
> need to move to Olaf Kirch's implementation of it:
> 
> 	http://rechner.lst.de/~okir/traceroute/
> 	ftp://ftp.lst.de/pub/people/okir/traceroute

Woops.. the problem with this implementation is that it does
not support ICMP trace (-I option), wich I use on a regular
basis, especially in relation to various spammers and tricks
used to hide their real networks/sites.  UDP traceroutie is
blocked on alot of places nowadays, but ICMP still works.
Ofcourse, TCP mode (tcptraceroute) works even better... in
some cases.. ;)

But heh, looks like this very ability - ICMP trace - is what
requires +s bit, to obtain access to raw socket.. just like
ping.

> For ping, yes, we might have to use something like your patches...
> although I'd hate to have the Owl userland _require_ (rather than just
> support) patched kernels.

Speaking of kernel patches..  Trustees, bsdjail, maybe rsbac, extattr
with capabilities...  there are alot of various stuff available (of
various quality and usability too ;)  Eg, almost all of current +s
probs could be solved with extended attributes and +capability bits
instead of +s bits (I don't like per-file attributes because they're
"hidden" inside a directory hierarchy; other approaches, like used
by rsbac/trustees, by specifying a list of "important" files somewhere
in /etc - also works).  I understand that's a major step to start
using any of that systems...

/mjt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.