| 1 |
On Wed, 14 Dec 2011 16:27:45 +0100 |
| 2 |
Javier Juan Martínez Cabezón wrote: |
| 3 |
|
| 4 |
When I have more time I promise to hunt the references out and send |
| 5 |
them to you. |
| 6 |
|
| 7 |
> I have never said to eliminate DAC. I just told that ONLY DAC as |
| 8 |
> openbsd do is a bad option and insecure. |
| 9 |
> You can substitute DAC with RBAC (and RSBAC gives an option to do it). |
| 10 |
> |
| 11 |
> Now DAC and RBAC are layered, RBAC can be secure without DAC, DAC |
| 12 |
> WOULD NEVER be secure without RBAC. |
| 13 |
|
| 14 |
Let's play your game as you keep mixing up contexts and you're the one |
| 15 |
making blanket statements not me and telling me you know what I know |
| 16 |
better than myself. I merely said that methods of breaking RBAC have |
| 17 |
been discussed and a kernel exploit is one of them. |
| 18 |
|
| 19 |
So show me how you can break out of the default apache on OpenBSD then? |
| 20 |
|
| 21 |
>> There is no way that a rootkit could access to kernel memory, |
| 22 |
>> /dev/mem, ioports an alike devices are fully controlled and module |
| 23 |
>> interfaz too and kernel sources too. Tell me how the hell can anyone |
| 24 |
>> launch a ring 0 rootkit, and give proofs as I did a not simple search |
| 25 |
>> in grsec or openbsd sites. |
| 26 |
|
| 27 |
>> RBAC IS the kernel, |
| 28 |
>> |
| 29 |
|
| 30 |
RBAC is part of the kernel yes and so stored in memory. It is also a |
| 31 |
part of the kernel that is meant to be switchable. An exploit in the |
| 32 |
kernel can not only bypass RBAC or switch it off it can even situate a |
| 33 |
rootkit above the kernel leaving RBAC in place and having ALL rights |
| 34 |
aka the root of the system. Yes a perfect policy may prevent an exploit |
| 35 |
but it's equally possible that a perfect policy has to allow the |
| 36 |
exploit for desired functionality. |
| 37 |
|
| 38 |
The question is what is more important, keeping attackers out or making |
| 39 |
sure your policies are good enough to stop them. I prefer OpenBSD for |
| 40 |
many reasons aside from just this anyway. |
| 41 |
|
| 42 |
You turned this into a bashing of OpenBSD and I'm not sure anyone here |
| 43 |
appreciates the hijacking of this thread, I should have known better |
| 44 |
than to mention OpenBSD here and almost removed it before sending, lets |
| 45 |
stop and agree to disagree. It's not the first time the importance of |
| 46 |
RBACs bug exploitation prevention versus bug removal and prevention at |
| 47 |
source has been discussed. Hopefully one day the Linux kernel will be |
| 48 |
as bug free and capable to be safely as static as OpenBSDs, I also hope |
| 49 |
OpenBSD gets a MAC one day too. Unfortunately I can't see either |
| 50 |
happening. |
Archives