1 |
On Wed, 14 Dec 2011 16:27:45 +0100 |
2 |
Javier Juan Martínez Cabezón wrote: |
3 |
|
4 |
When I have more time I promise to hunt the references out and send |
5 |
them to you. |
6 |
|
7 |
> I have never said to eliminate DAC. I just told that ONLY DAC as |
8 |
> openbsd do is a bad option and insecure. |
9 |
> You can substitute DAC with RBAC (and RSBAC gives an option to do it). |
10 |
> |
11 |
> Now DAC and RBAC are layered, RBAC can be secure without DAC, DAC |
12 |
> WOULD NEVER be secure without RBAC. |
13 |
|
14 |
Let's play your game as you keep mixing up contexts and you're the one |
15 |
making blanket statements not me and telling me you know what I know |
16 |
better than myself. I merely said that methods of breaking RBAC have |
17 |
been discussed and a kernel exploit is one of them. |
18 |
|
19 |
So show me how you can break out of the default apache on OpenBSD then? |
20 |
|
21 |
>> There is no way that a rootkit could access to kernel memory, |
22 |
>> /dev/mem, ioports an alike devices are fully controlled and module |
23 |
>> interfaz too and kernel sources too. Tell me how the hell can anyone |
24 |
>> launch a ring 0 rootkit, and give proofs as I did a not simple search |
25 |
>> in grsec or openbsd sites. |
26 |
|
27 |
>> RBAC IS the kernel, |
28 |
>> |
29 |
|
30 |
RBAC is part of the kernel yes and so stored in memory. It is also a |
31 |
part of the kernel that is meant to be switchable. An exploit in the |
32 |
kernel can not only bypass RBAC or switch it off it can even situate a |
33 |
rootkit above the kernel leaving RBAC in place and having ALL rights |
34 |
aka the root of the system. Yes a perfect policy may prevent an exploit |
35 |
but it's equally possible that a perfect policy has to allow the |
36 |
exploit for desired functionality. |
37 |
|
38 |
The question is what is more important, keeping attackers out or making |
39 |
sure your policies are good enough to stop them. I prefer OpenBSD for |
40 |
many reasons aside from just this anyway. |
41 |
|
42 |
You turned this into a bashing of OpenBSD and I'm not sure anyone here |
43 |
appreciates the hijacking of this thread, I should have known better |
44 |
than to mention OpenBSD here and almost removed it before sending, lets |
45 |
stop and agree to disagree. It's not the first time the importance of |
46 |
RBACs bug exploitation prevention versus bug removal and prevention at |
47 |
source has been discussed. Hopefully one day the Linux kernel will be |
48 |
as bug free and capable to be safely as static as OpenBSDs, I also hope |
49 |
OpenBSD gets a MAC one day too. Unfortunately I can't see either |
50 |
happening. |