kremlyn
November 13th, 2002, 02:23
No doubt some of you have heard of the latest exploit for BIND. OpenBSD is affected, however, given that it's not turned on by default and chrooted, the damage is contained.
This leads me to an interesting topic..
How long will the OpenBSD core team, continue to consider chroots and default-disabled services, as being pertinent to the projects stated goals?
Surely turning services off and localising the damage when exploited isn't good enough for a secure OS like OpenBSD.
The alternatives are there..
postfix as a replacement for sendmail
djbdns as a replacement for bind
The only problem here is that DJB's software (qmail and djbdns) cannot be patched by third parties (which is why I note postfix there, instead of qmail).
The core team has shown, through the ipf/pf and ssh/openssh examples to have the balls to take the necessary steps and back them up with results. Is it time they set the standard again?
Any opinions on this?
//kremlyn
This leads me to an interesting topic..
How long will the OpenBSD core team, continue to consider chroots and default-disabled services, as being pertinent to the projects stated goals?
Surely turning services off and localising the damage when exploited isn't good enough for a secure OS like OpenBSD.
The alternatives are there..
postfix as a replacement for sendmail
djbdns as a replacement for bind
The only problem here is that DJB's software (qmail and djbdns) cannot be patched by third parties (which is why I note postfix there, instead of qmail).
The core team has shown, through the ipf/pf and ssh/openssh examples to have the balls to take the necessary steps and back them up with results. Is it time they set the standard again?
Any opinions on this?
//kremlyn