From: <ma...@ne...> - 2005-02-24 10:14:23
|
VANHULLEBUS Yvan <va...@fr...> wrote: > - We have a privsep feature (I don't know exactly how it works, just > had a quick look at other mails in this thread) > - We want a config reload without loosing tunnels > - With actual privsep implementation, those features can't work > together.... That's a strange way of presenting the issue. With actual racoon implementation, config reload does not work at all, but we will fix that, and I beleive we can do it with privilege separation too. > Why is privsep interesting ? (snip) > What can an attacker do if he can take control of unpriv instance ? > - limited file access > - access to "whatever" unpriv has in memory/config.... including all > configuration, PSKs, certificates, etc.... > Is this really less dangerous than root local access ? > Just a little bit. I see a big difference: without privilege separation, the attacker will immediatly gain root on the machine. And here starts the fun, with rootkit installation and so on. > For now, the only thing I know is that I *have* to do conf reaload > quickly, with or without privsep, so I'll start working on a local > copy of 0.5 branch (won't commit on that branch), and we'll see later > what can be done on the CVS. If you are very short on time, then please do it on HEAD without taking care about privsep and I'll clean the mess afterwards. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |