> > The point is, you *can't* guarantee that a large, capable, general
> > purpose package is bug free, whether the bugs are security oriented or
> > anything else. So you need something to backstop it, like Type
> > Enforcement or maybe MLS protections.
> Of course a class B operating system is itself a large, capable, general
> purpose package.
True, but the point is that you must break sendmail *and* the backstop
before your intrusion will be successful. C2 and higher systems will
be auditing sendmail's every move. If sendmail forks a shell or
begins to access non mail-related files, a properly configured B level
OS can detect that, and shut sendmail down and alert the administrator.
Also hacking through a MLS or Type Enforcement system is not trivial.
The same logic applies to the recent syslog problems. If your OS can
monitor the daemons, it has a chance to detect when they've been
overrun by means of yet another buffer overflow bug.
That is why I am a strong advocate of running firewalls on trusted
Secure Systems Engineering
AT&T Bell Labs