BIND 9.10.1 beta with seccomp functionality

devzero2000 pinto.elia at gmail.com
Tue Aug 19 21:40:58 UTC 2014 

Il 19/Ago/2014 17:10 "Tomas Hozza" <thozza at redhat.com> ha scritto:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello.
>
> ISC is working on new BIND 9.10 release which includes the seccomp
> functionality. It can be turned on by configuring BIND before build with
> "--enable-seccomp".
>
> ISC asked me to kindly ask Fedora community if they would be willing to
> test it. Currently I'm working on rebasing BIND to 9.10 in rawhide.
> However it is still not finished. Since DHCP (including dhclient)
> depends on BIND libraries I'm not able to easily provide a testing RPMs
> that would be installable.
>
> In the future I would like to turn the feature on by default.
>
> So if you are willing to test the feature, you can download latest BIND
> 9.10.1b2 on http://www.isc.org/downloads/
>
> Configure it with "--enable-seccomp" and you're good to go.
>
> You can send your feedback to bind-beta-response at lists.isc.org,
> bind-users at lists.isc.org or bind-bugs at isc.org
>
> Some words about the feature from the contributor:
> "It goes further than a chroot. chroot limits an attacker to a
> filesystem. it doesn't prevent the attacker from running his "exploit"
> aka nefarious code and making socket connections over the internet that
> would give him some kind of backdoor access where he can remotely
> execute his code.
>
> That's where seccomp kicks in, it acts as a 2nd wall of defence. In case
> of a security hole being present in the server process, it goes further
> than a chroot, it prevents the attacker from making socket connections
> orexecuting his code, as his "playing field" is significantly reduced.
> There's very little he can do.”

Are there some duplication of security feature that some mac system offer
as selinux, in first place ? Sure someone can Tell that selinux could be
disabled by the lazy sysadmin.

Thanks

Best regards
>
> Thank you.
>
> Regards,
> - --
> Tomas Hozza
> Software Engineer - EMEA ENG Developer Experience
>
> PGP: 1D9F3C2D
> Red Hat Inc.                               http://cz.redhat.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJT82i/AAoJEMWIetUdnzwtooYH/1hffLhpDtY1zTPNVtSlFLUx
> 236mJQGZMS5jsHAKPtd354qLCSMSIBTEeeGPCUkV9YC3ZtrF+wT6FCN1XFgDylpr
> 7S2toCAVOpjbPIUIOJZ8HvRZENb//KGxUHg8GrlIfHZMeXB9EXhvaTcxLC1QTX04
> JSZyQKXIaDWurTGM/AQESAwHkIWK1vaubmrI2dt8L0mp9e5RWc3N/sb5XAup0jfa
> zfkP/oPsmeS6mZvKdoc/BiwDDj8bLm8NBLHFO++tES0e43HnWAo9+H4HqSNuX5JQ
> 0q4a11zy55VtL8G99kzGN64gdvtXbiNDVuxulecWxxK9BUncHv3aXu5t4ggO0yg=
> =MtKc
> -----END PGP SIGNATURE-----
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140819/2be6c4cf/attachment.html>

More information about the devel mailing list