Privelege separation

[Michel Arboi]

On Tue Aug 24 2004 at 23:46, eric wrote:

> Yes, OpenSSL is one large conglameration of mish-mash. But hey,
> that's a whole other story - I'm not looking for you to tell me
> where the problems-by-proxy are.

You are asking us to put expensive security to protect Nessus against
mysterious bugs that might happen one day. I'm pointing where the
next bug is likely to appear.

> Indeed I am, and I'm working on some stuff to get at least the
> listener privsep'ed.

Don't work, just think:

Use stunnel, chroot it, etc. and configure it to connect back to
nessusd. Configure nessusd to use login / password authentication
instead of certificates. Do not password protect your client
certificates (because of a limitation in the GUI).

Et voila, you have your privilege separation on the listener.