Subject: Re: CVS commit: src/etc
To: Peter Postma <peter@pointless.nl>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-userlevel
Date: 04/06/2005 13:22:02
In message <20050406170637.GA80072@gateway.pointless.nl>, Peter Postma writes:

>
>You might not think this improves security, but I think it does.

I agree, though /etc/security should be fixed so that it doesn't 
complain about the "_" character.
>
>And why should we do this different than OpenBSD? Their pflogd(8) has
>been developed in a way to reduce potentional security issues, why
>should we ignore that?
>
There are often lots of reasons to disagree with them; this isn't one 
of them.  We really want to limit the damages that can be done by any 
single malfunctioning program.

A more interesting question is whether or not there's a better way, 
since lots of special-purpose logins create their own manageability 
headaches.  Perhaps something with systrace?

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb