Re: new privsep for rsa and ca [was: [OpenSMTPD] master snapshot opensmtpd-201405071639 available]
On Mon, May 12, 2014 at 5:19 PM, Gilles Chehade gil...@poolp.org wrote: We have abused the term privsep, in this particular case it's not really privileges separation but really vmem. space separation. The goal was to isolate that code from the network, it could be done in the lookup process (as done with first version) but it's just nicer for us to have this done in a standalone process. The idea being to protect against heartbleed-style attacks? But not to protect against, say, arbitrary code execution?
Re: new privsep for rsa and ca [was: [OpenSMTPD] master snapshot opensmtpd-201405071639 available]
On Tue, May 13, 2014 at 07:08:10PM +0200, Jason A. Donenfeld wrote: On Mon, May 12, 2014 at 5:19 PM, Gilles Chehade gil...@poolp.org wrote: We have abused the term privsep, in this particular case it's not really privileges separation but really vmem. space separation. The goal was to isolate that code from the network, it could be done in the lookup process (as done with first version) but it's just nicer for us to have this done in a standalone process. The idea being to protect against heartbleed-style attacks? But not to protect against, say, arbitrary code execution? yes, the process is already isolated, we don't really think there's any reason to also have a dedicated user -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: new privsep for rsa and ca [was: [OpenSMTPD] master snapshot opensmtpd-201405071639 available]
On Fri, May 09, 2014 at 06:49:50PM +0200, Jason A. Donenfeld wrote: On Thu, May 8, 2014 at 2:56 PM, Gilles Chehade gil...@poolp.org wrote: On Thu, May 08, 2014 at 05:08:36AM +0200, Jason A. Donenfeld wrote: no, no new UID/username required Curious, then, as to what kind of privsep this provides... Just catching up on my mails, sorry for the delay. We have abused the term privsep, in this particular case it's not really privileges separation but really vmem. space separation. The goal was to isolate that code from the network, it could be done in the lookup process (as done with first version) but it's just nicer for us to have this done in a standalone process. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: new privsep for rsa and ca [was: [OpenSMTPD] master snapshot opensmtpd-201405071639 available]
On Thu, May 8, 2014 at 2:56 PM, Gilles Chehade gil...@poolp.org wrote: On Thu, May 08, 2014 at 05:08:36AM +0200, Jason A. Donenfeld wrote: no, no new UID/username required Curious, then, as to what kind of privsep this provides...
Re: new privsep for rsa and ca [was: [OpenSMTPD] master snapshot opensmtpd-201405071639 available]
On Thu, May 08, 2014 at 05:08:36AM +0200, Jason A. Donenfeld wrote: On Wed, May 7, 2014 at 4:43 PM, gil...@poolp.org wrote: - RSA engine privsep by reyk@ - ca process, by reyk Do these require new UIDs/usernames? no, no new UID/username required -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
new privsep for rsa and ca [was: [OpenSMTPD] master snapshot opensmtpd-201405071639 available]
On Wed, May 7, 2014 at 4:43 PM, gil...@poolp.org wrote: - RSA engine privsep by reyk@ - ca process, by reyk Do these require new UIDs/usernames?