[opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!!
On Wed, 09 Jul 2008 22:02:31 +0200, Carlos E. R. wrote:
No, it prevents a program initiated by the system, a program serving some service, from accessing things it was not designed to access. And it doesn't mean the user did something wrong: it may be that a cracker found a hole and violated apache.
I see. So the system initiates programs - sometimes programs that are untrusted? Perhaps sometimes programs that are *infected* with something?
Even if an on-access-scanner scanned the apache binary chances are it wouldn't find anything wrong... because linux binaries are very diverse.
Sure, but it wouldn't be the apache binaries that were at issue. It'd be whatever it was that apache *called* that behaved badly. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 21:36 -0000, Jim Henderson wrote:
On Wed, 09 Jul 2008 22:02:31 +0200, Carlos E. R. wrote:
No, it prevents a program initiated by the system, a program serving some service, from accessing things it was not designed to access. And it doesn't mean the user did something wrong: it may be that a cracker found a hole and violated apache.
I see. So the system initiates programs - sometimes programs that are untrusted? Perhaps sometimes programs that are *infected* with something?
No, trusted programs, but being daemons that serve services from the outside, they are at risk.
Even if an on-access-scanner scanned the apache binary chances are it wouldn't find anything wrong... because linux binaries are very diverse.
Sure, but it wouldn't be the apache binaries that were at issue. It'd be whatever it was that apache *called* that behaved badly.
No, you need to know in advance what will apache call (everything!). If apache is protected by an AA profile it can not start anything not in the profile, and the childs itself have to be profiled beforehand. So yes, it is the apache binaries what is at issue here (for AA). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdUSxtTMYHG2NR9URAikFAKCZCvNIqSCKVf46sCW7/lujBscBjACfbANl aX6DmlwJ6BpZjlR59hDAFF4= =lSnE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 10 Jul 2008 01:07:28 +0200, Carlos E. R. wrote:
No, it prevents a program initiated by the system, a program serving some service, from accessing things it was not designed to access. And it doesn't mean the user did something wrong: it may be that a cracker found a hole and violated apache.
I see. So the system initiates programs - sometimes programs that are untrusted? Perhaps sometimes programs that are *infected* with something?
No, trusted programs, but being daemons that serve services from the outside, they are at risk.
And who determines the program is trusted? When profiling the program, if it's already infected, what flags are raised? (With AA I honestly don't know).
So yes, it is the apache binaries what is at issue here (for AA).
Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-07-10 at 16:06 -0000, Jim Henderson wrote:
No, trusted programs, but being daemons that serve services from the outside, they are at risk.
And who determines the program is trusted? When profiling the program, if it's already infected, what flags are raised? (With AA I honestly don't know).
You determine it. If, when creating the profile you see that it wants to write to a configuration file that you think it shouldn't, you will have to decide to allow or disallow or report to suse... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdkrTtTMYHG2NR9URAqAyAKCPs27igzqHd3Xetc2kY4sBjQH7SgCeM8pD NzfVNPSSqH7rlXa2lboI8aQ= =nZyv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 10 Jul 2008 19:45:54 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2008-07-10 at 16:06 -0000, Jim Henderson wrote:
No, trusted programs, but being daemons that serve services from the outside, they are at risk.
And who determines the program is trusted? When profiling the program, if it's already infected, what flags are raised? (With AA I honestly don't know).
You determine it.
If, when creating the profile you see that it wants to write to a configuration file that you think it shouldn't, you will have to decide to allow or disallow or report to suse...
So user error still can cause an infected executable to be used.... Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-07-10 at 19:18 -0000, Jim Henderson wrote:
And who determines the program is trusted? When profiling the program, if it's already infected, what flags are raised? (With AA I honestly don't know).
You determine it.
If, when creating the profile you see that it wants to write to a configuration file that you think it shouldn't, you will have to decide to allow or disallow or report to suse...
So user error still can cause an infected executable to be used....
Not user, admin error. And/or Novell/Suse error (the profiles are supplied by them). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdpNbtTMYHG2NR9URAmCkAJ41wsxsZsyKi7j5JsSy8Y/0mIz6YQCghuqz 6wnUQRphJ/0W1xCuaE4FzJQ= =SR0w -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 11 Jul 2008 00:55:21 +0200, Carlos E. R. wrote:
So user error still can cause an infected executable to be used....
Not user, admin error. And/or Novell/Suse error (the profiles are supplied by them).
Often times, the user is the admin.... Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Carlos E. R.
-
Jim Henderson