Re: BIND 9.10.1 beta with seccomp functionality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Il 19/Ago/2014 17:10 "Tomas Hozza" <thozza@xxxxxxxxxx> ha scritto:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello.
>
> ISC is working on new BIND 9.10 release which includes the seccomp
> functionality. It can be turned on by configuring BIND before build with
> "--enable-seccomp".
>
> ISC asked me to kindly ask Fedora community if they would be willing to
> test it. Currently I'm working on rebasing BIND to 9.10 in rawhide.
> However it is still not finished. Since DHCP (including dhclient)
> depends on BIND libraries I'm not able to easily provide a testing RPMs
> that would be installable.
>
> In the future I would like to turn the feature on by default.
>
> So if you are willing to test the feature, you can download latest BIND
> 9.10.1b2 on http://www.isc.org/downloads/
>
> Configure it with "--enable-seccomp" and you're good to go.
>
> You can send your feedback to bind-beta-response@xxxxxxxxxxxxx,
> bind-users@xxxxxxxxxxxxx or bind-bugs@xxxxxxx
>
> Some words about the feature from the contributor:
> "It goes further than a chroot. chroot limits an attacker to a
> filesystem. it doesn't prevent the attacker from running his "exploit"
> aka nefarious code and making socket connections over the internet that
> would give him some kind of backdoor access where he can remotely
> execute his code.
>
> That's where seccomp kicks in, it acts as a 2nd wall of defence. In case
> of a security hole being present in the server process, it goes further
> than a chroot, it prevents the attacker from making socket connections
> orexecuting his code, as his "playing field" is significantly reduced.
> There's very little he can do.”

Are there some duplication of security feature that some mac system offer as selinux, in first place ? Sure someone can Tell that selinux could be disabled by the lazy sysadmin.

Thanks

Best regards
>
> Thank you.
>
> Regards,
> - --
> Tomas Hozza
> Software Engineer - EMEA ENG Developer Experience
>
> PGP: 1D9F3C2D
> Red Hat Inc.                               http://cz.redhat.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJT82i/AAoJEMWIetUdnzwtooYH/1hffLhpDtY1zTPNVtSlFLUx
> 236mJQGZMS5jsHAKPtd354qLCSMSIBTEeeGPCUkV9YC3ZtrF+wT6FCN1XFgDylpr
> 7S2toCAVOpjbPIUIOJZ8HvRZENb//KGxUHg8GrlIfHZMeXB9EXhvaTcxLC1QTX04
> JSZyQKXIaDWurTGM/AQESAwHkIWK1vaubmrI2dt8L0mp9e5RWc3N/sb5XAup0jfa
> zfkP/oPsmeS6mZvKdoc/BiwDDj8bLm8NBLHFO++tES0e43HnWAo9+H4HqSNuX5JQ
> 0q4a11zy55VtL8G99kzGN64gdvtXbiNDVuxulecWxxK9BUncHv3aXu5t4ggO0yg=
> =MtKc
> -----END PGP SIGNATURE-----
> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux