Great Circle Associates Firewalls
(November 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: chroot/setuid vs type enforcement
From: jeromie @ garrison . com
Date: Tue, 28 Nov 95 10:58:15 CST
To: firewalls @ greatcircle . com 
I was wondering if anyone has seen any papers comparing & contrasting
type enforcement vs. a chroot() setuid() environment.  I have done a bit of
research, and I have found the following.

1) type enforcement provides multiple domains that allow for seperation of duty.

2) type enforcement allows for the removal of system calls from any given 
   domain.

3) type enforcement requires a configuration of who can touch what.  This can
   be useful for triggering alarms & potentially strong audit data.

The one thing that I see as a potential downfall to the integrity of type 
enforcement is configuration.  It appears to me that it could be cumbersome &
very detailed.  I myself feel the KISS approach is always best, and type
enforcement seems to break this rule.

I would be very interested to hear comments, and extremly interested to see a
paper on the subject.

Jeromie Jackson
Garrison Associates
jeromie @
 garrison .
 com
Indexed By Date Previous: Re: Long delays for telnet & ftp connects to firewall hosts
From: Mike Neuman <mcn @ EnGarde . com>
Next: FW: Windows NT holes and Lotus Notes holes (fwd)
From: Chris Brenton <chris . brenton @ newsedge . com>
Indexed By Thread Previous: FTP hole in HP-UX 9.x & 10.x
From: Benoit Dicaire <BDicaire @ NRJ . Com>
Next: Re: chroot/setuid vs type enforcement
From: "Marcus J. Ranum" <mjr @ iwi . com>
Google
 
Search Internet Search www.greatcircle.com