On Tue, Mar 17, 2015 at 05:37:13PM -0400, Benjamin Barenblat wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Should we be thinking about seccomp for the binaries 'urweb' makes? > > Seccomp is a Linux capabilities system that lets an application define > and institute a policy for allowed system calls. This is normally used > to allow applications to JIT and execute untrusted code (most notably in > Google Chrome), but it could also be a powerful tool to help mitigate > exploits against Ur/Web CGI and FastCGI binaries. > > Obviously, this would do nothing for OS X users, but OS X servers are > sufficiently rare (and Linux-based servers are sufficiently common) that > this could still be a net win. > > What do you think – might modifying 'urweb'’s code generator to add > seccomp to the binaries it produces be a good idea? >
Benjamin, Could you please explain, why do you propose to ignore Mac and BSD users and divert Ur/Web focus to linux-specific "features"? What kind of "untrusted" code are you talking about in Ur/Web binaries? Best regards, Alexander _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
