On Fri, 8 Jul 2011 15:09:52 +0400 "Ilya Bakulin" <webmas...@kibab.com> mentioned:
> [CCing Ben, Robert and Jonathan as it's very important for me to receive > their feedback about my thoughts] > > Let me focus on those application ideas that you've mentioned. All the > following are my thoughts and this may be incorrect, in this case please > correct me. > > > -any server software > Yes, server software is a good candidate for bringing cap.mode in. Though > this applies to servers that do not include in-process support for > interpreters (ie Apache + mod_php), see later why. Such software as nginx, > lighttpd is OK. Speaking about base system components, this list includes > inetd daemons (but modification of inetd itself is NOT sufficient and > ineffective, capability support implies modifying code of daemons) I would also suggest our Heimdal Kerberos implementation as it performs a lot of non-trivial ASN.1 and GSSAPI decapsulation/encapsulation when processing packets and we saw a lot of vulenrabilities in the past in these areas. Unfortunately, Heimdal will be probably to large to break into compartments. -- Stanislav Sedov ST4096-RIPE () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
