| gabriel rosenkoetter on Wed, 19 Jun 2002 11:02:52 +0200 |
|
On Tue, Jun 18, 2002 at 12:23:17PM -0400, Bill Jonas wrote: > Yes, but the program still effectively (no pun intended) runs as root, > and it has to explicitly drop privileges once it accomplishes what it > needed root privileges to accomplish. ... as any sanely-written implementation of all of the things you mentioned would. (Note that it's impossible to have a sanely implemented X server on IA32 because of the ways in which X really does need to lock the memory on the graphics card and the fact that you can *only* do that insecurely on IA32. One more reason I dislike the architecture.) > Yes, but consider this: probably a year or so ago I was looking around > for an identd to run on my (then) OpenBSD firewall that had > functionality like midentd (a masquerading identd), which only runs on > Linux, to my knowledge. humbug:/usr/pkgsrc# cat net/nidentd/DESCR identd that does IPv6, IPv4 and NAT with IPv4. NOTE: You should not rely on the data integrity the identd protocol tries to provide you with. If you think you need this, you really need protocols which do strong host and/or user authentication such as ssh and IPsec in conjunction with audit trails. Note also that this package is not very efficient in that it runs several processes per connection. (The "NAT with IPv4" is what you thought you needed midentd for, right?) That's from NetBSD pkgsrc; if there isn't an OpenBSD port already, there's something in their ports collection to convert from the NetBSD format. [clip] > Well, perhaps I'm agreeing with you, after all. ;) Since you've actually tried to code something with the suid bit set caring about its security, you should be. :^> -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpEUXtKpVcAr.pgp
|
|