Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
How not to respond to a security advisory
Jason Miller, 2006-01-18

A recently announced weakness in the BSD securelevel system isn't going to be fixed in OpenBSD. While securelevel may have problems, the vendor's security response is unacceptable and doesn't fit with their stated goals.

Comments Mode:
How not to respond to a security advisory 2006-01-19
Miles (3 replies)
Re: How not to respond to a security advisory 2006-01-19
Dwight
Re: How not to respond to a security advisory 2006-01-19
Anonymous
Secure levels as a control is too coarse grained 2006-01-19
Anonymous (1 replies)
It is way too coarse grained for suitable control. Things that are disabled (at a level 2) still need to be done to online systems. Even at level 1 you have a number of problems.

a. if a filesystem is damaged (hardware failure) you cannot take it out of service for repair/replacement without rebooting.
b. you cannot reliably restart daemons (file system failure, changed security level since daemon startup.
c. forced frequent reboots - not a good thing on large servers.

As far as coarse control - it still doesn't prevent a root user from rebooting the system to take it over during the restart.

You need enforcable, fine grained, capability lists to do that.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/380/32975#32975
Re: Secure levels as a control is too coarse grained 2006-01-21
Anonymous
How not to respond to a security advisory 2006-01-19
Anonymous
How not to respond to a security advisory 2006-01-19
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-25
Matthew Murphy
How not to respond to a security advisory 2006-01-19
DS
How not to respond to a security advisory 2006-01-19
Anonymous (2 replies)
Re: How not to respond to a security advisory 2006-01-19
Kelly Martin
Re: How not to respond to a security advisory 2006-01-21
Anonymous
How not to respond to a security advisory 2006-01-19
Anonymous
Linux security contact 2006-01-19
Anonymous
Theo being theo... 2006-01-19
Anonymous (2 replies)
Re: Theo being theo... 2006-01-20
Anonymous
Re: Theo being theo...(Theo is best!) :) 2006-01-23
LinuxUser
What total nonsense. 2006-01-19
Anonymous
How not to respond to a security advisory 2006-01-20
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-26
Anonymous
How not to respond to a security advisory 2006-01-20
Fred Cohen
TdR says loud what Linux & FreeBSD assume silently 2006-01-20
Anonymous
How not to respond to a security advisory 2006-01-20
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-23
LinuxUser
How not to respond to a security advisory 2006-01-21
Anonymous (1 replies)
Re: How not to respond to a security advisory 2006-01-24
Anonymous
"Root problem" again 2006-01-24
Alexey Vesnin
How not to respond to a security advisory 2006-01-25
Michael Favinsky (1 replies)
Re: How not to respond to a security advisory 2006-01-25
Anonymous (1 replies)
Re: Re: How not to respond to a security advisory 2006-02-04
Anonymous
this is a non-issue 2006-02-04
Anonymous







 

Privacy Statement
Copyright 2008, SecurityFocus