(O_RDONLY
fails with EPERM, anything else fails with EISDIR).
--
Glynn Clements gl...@gclements.plus.com
later. It needs to be created with the
restrictive permissions from the outset.
--
Glynn Clements gl...@gclements.plus.com
. JavaScript (although for Firefox, you would
probably want the limit to only be applied to external JavaScript,
given that much of the browser itself is written in JavaScript).
--
Glynn Clements [EMAIL PROTECTED]
problem I can see is that it's not at all uncommon to have
dozens or even hundreds of hostnames all resolve to a single IP
address belonging to a shared server. Requesting a PTR record for that
IP address typically isn't going to give you the hostname you started
with.
--
Glynn Clements [EMAIL
to bare-bones POSIX (no capabilities,
or extensions such as SELinux or RSBAC), the set of features is rather
lacking in this regard.
--
Glynn Clements [EMAIL PROTECTED]
is a workaround (mitigation strategy), not a
fix.
--
Glynn Clements [EMAIL PROTECTED]
the actual initiator probably isn't feasible, so clearing PDEATHSIG
on setuid exec() is probably the only viable solution.
--
Glynn Clements [EMAIL PROTECTED]
is a security issue regardless of whether or
not one can provide a useful scenario immediately upon the issue
becoming known.
--
Glynn Clements [EMAIL PROTECTED]
extension that programmers won't have heard of and
won't be expecting to have to manually reset.
--
Glynn Clements [EMAIL PROTECTED]
for a setuid/setgid
program to *exhaustively* sanitise (or at least validate) its
operating environment.
--
Glynn Clements [EMAIL PROTECTED]
the parent death signal).
But the suggestion that this should be reset on exec() (at least for a
suid/sgid binary) is sound, IMHO.
Moreover, I would suggest that exec()ing a suid/sgid binary should
reset *everything* which is not explicitly specified as being
preserved.
--
Glynn Clements [EMAIL
to the secure device, which
realistically requires a better communication channel than a keypad.
--
Glynn Clements [EMAIL PROTECTED]
the
built-in software renderer.
--
Glynn Clements [EMAIL PROTECTED]
legitimate pen-testing difficult. It may
not be possible to simply outsource pen-testing to a country where
such tools are legal (e.g. due to laws restricting the transfer of
sensitive data abroad).
--
Glynn Clements [EMAIL PROTECTED]
the cookie. IOW, a protocol
change. Anything else is papering over the cracks.
--
Glynn Clements [EMAIL PROTECTED]
the act of opening a device
under Windows can have undesirable side effects?
--
Glynn Clements [EMAIL PROTECTED]
-byte sequences have the (binary) form:
110x 10xx
The range 0-127 (which must use the single-byte form instead)
corresponds to:
110x 10xx
Hence, any sequence beginning with 1100 (0xC0) or 1101 (0xC1)
is illegal.
--
Glynn Clements [EMAIL PROTECTED]
ur $TMPDIR, so there shouldn't be any
need to use public directories.
3.3. Problem
Functions like read-passwd do not clear the the history of
recently typed keys. In fact, there is no way to do that from
Emacs Lisp.
Ditto for XEmacs.
--
Glynn Clements [EMAIL PROTECTED]
y write
to the stack/data segment then execute the code via the code segment
(return addresses are implicitly relative to the code segment).
--
Glynn Clements [EMAIL PROTECTED]
19 matches
Mail list logo
