THIS CODE BASE is not intented to be secure
honestly, though, lets expand on this a bit, seeing as how that can be a confusing statement. the following things are true about this codebase:
- this is not a product. this is a pre-1.0 version of a GPL tool.
- there is no formal security review of this code at this time.
- if you have concerns about this code mis-behaving then you should a) use selinux and work with the policy, however you should note that
- if the listener is compromised, the attacker has a raw socket to read from. this may or maynot be a problem, depending on how you run it. so some thought should be put into where you are running this code. if you really use this tool perhaps you should read though the policy. the chroot setuid protection in the non-selinux code doesnt really give you enough protection imo. b) review the code, this release is for developers and interested people to play with. If you find anything you dont like we would love to hear from you.
- the rate of development right now and the state of it is not stable, think of this being a CVS checkout of code. If it breaks im not going to cry. Ill try and do a decent job right now, but i think you should fully understand where the state of this project is before you use it.
BEFORE YOU TYPE MAKE,
- run ./configure --help and read it
- run ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-bundled-ltdl for example
- type make
- type make install
have fun, be good, and please talk to us. #unicornscan on efnet. https://lists.sourceforge.net/lists/listinfo/osace-users