Maintainers wanted for packages from 2013-02-27 FESCo Meeting
Michael Scherer
misc at zarb.org
Fri Mar 8 12:29:49 UTC 2013
Le vendredi 08 mars 2013 à 04:15 +0000, Sérgio Basto a écrit :
> About what you wrote:
> Don't understand the concern on so must security, I use it under a
> router so this port are close to exterior and in side my LAN don't see a
> problem to have a tcp port, neither have completely untrusted email.
Usually, clamav interact with the rest of the world by reading files
sent by anybody on the internet using smtp, so it is processing
potentially hostile input, even with all closed ports on the firewall.
For exemple, if there is a flaw in the parser of exe parser of clamav
and i send you a cooked email with a exe that trigger the exploit, with
a hardened setup, clamav would
1) have no network access ( thus preventing me to use it to spam or
attack the lan )
2) not have possibility to spawn a shell or anything ( thus requiring me
to write or find a more complex exploit, and preventing me from spawing
a process that would survive a restart of clamav )
3) would not be able to use a local exploit using something in /dev, in
the unlikely event such a exploit exist at the same time than a clamav
issue.
So if someone is running with all protections ( fw, selinux down ), they
would still cause issues to some exploits. That's not a magic solution,
but better than nothing.
That's defence in depth. Some people may not have firewall setup or
selinux setup, or some people may be attacked from the inside of the LAN
and have disabled selinux on the whole server because "that was written
on the web". So while a firewall and selinux prevent some type of attack
( and is useful to have of course ), it can be good to have others type
of protections in case of.
--
Michael Scherer
More information about the devel
mailing list