This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Security update dicussion
#1
Security update dicussion
Hi dev team!

As we know, suhosin offer only light update since few months. I don't really know if this will be update for the futur developpement.

So I start to think to introduce in the installer, Modsecurity + some usefull fail2ban jails instead of suhosin. 

I don't know what you think about that? 

After that, I saw M.B talk about getting out zsudo in the next update. 

I meet some warning during the Core installation under Ubuntu 16.04 and Fedora.


/etc/sentora/configs/bin/zsudo.c: In function ‘main’:
/etc/sentora/configs/bin/zsudo.c:82:23: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
                 if ( !setuid( geteuid() ) )
                       ^~~~~~
/etc/sentora/configs/bin/zsudo.c:82:31: warning: implicit declaration of function ‘geteuid’ [-Wimplicit-function-declaration]
                 if ( !setuid( geteuid() ) )
                               ^~~~~~~

I don't see any impact in fact. but do you have a patch about that? What is the last update you've got about this change? I can test it if you need.

Eulogy
Reply
Thanks given by:
#2
RE: Security update dicussion
We plan to remove zsudo. Zsudo is piping the command it receives and execute them with sudo. We will have instead only few bash files that will execute some required root functions like restarting/reload apache or bind and thus limite down any attack that may target zsudo.

May be later we should split down the front from the backend using an API.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Coldfusion Freelance

10$ free to start your VPS

Reply
Thanks given by:


Possibly Related Threads...
Thread Author Replies Views Last Post
Security Qtech 16 8,437 07-15-2015, 02:29 AM
Last Post: apinto
Questions before update on installer... Ron-e 1 1,577 04-18-2015, 04:24 AM
Last Post: Me.B
suhosin update JWTech 3 3,213 02-17-2015, 09:06 PM
Last Post: Me.B

Forum Jump:


Users browsing this thread: 1 Guest(s)