Bugtraq mailing list archives
Re: UnixWare
From: perry () snark imsi com (Perry E. Metzger)
Date: Wed, 27 Apr 1994 15:11:43 -0400
Casper Dik says:
Name a couple for us then. I personally have seen only one security hole in a kernel in the past several years -- the division bug under older SunOS. Virtually every alert is related to a program thats setuid root, or that is needlessly running with root privileges (like sendmail).A number of SunOS ones: divide by zero, imul, idiv emulation (two seperate bugs), PTRACE_ATACH (in SunOS 4.0.x). There was some bug in early Solaris versions inwindow underflow/overflow traps too (unconfirmed). There are also ones reported in V6 or V7 unix.
Compare this to the almost weekly reports of security bugs at user level, and I believe my point is proven. Kernel security bugs show up maybe once every year or two -- none that I know of has appeared in 4.1.X SunOS, and its been running for several years now. Just looking at SunOS, there have been three sendmail bugs, some rdist bugs, some bugs with SUID LD_LIBRARY_PATH handling, etc, etc. One shows up every few months. I agree that one must keep track of the bugs out there, BUT if one is running a public access system that one expects to be regularly attacked, its probably better to make the system inherently safe by removing the places that security bugs could crop up. Perry
Current thread:
- Re: UnixWare, (continued)
- Re: UnixWare a.e.mossberg (Apr 28)
- Re: UnixWare Gene Spafford (Apr 28)
- Re: UnixWare David A. Curry (Apr 28)
- HP's security stance (was Re: UnixWare) Bennett Todd (Apr 28)
- Re: HP's security stance (was Re: UnixWare) Gene Spafford (Apr 28)
- Re: UnixWare Christopher Klaus (Apr 28)
- Re: UnixWare Gene Spafford (Apr 28)
- Re: UnixWare Perry E. Metzger (Apr 27)
- Re: UnixWare Bonfield James (Apr 28)
- Re: UnixWare Ron McDowell (Apr 27)
- Re: UnixWare Perry E. Metzger (Apr 27)
- Re: UnixWare Bennett Todd (Apr 27)
- Re: UnixWare Perry E. Metzger (Apr 28)
- Re: UnixWare (I think it's time to pick a new subject) Doug Hughes (Apr 28)