| 1 |
> You know you can. No perl binary, or chmod 750 or rbac as I had said. |
| 2 |
> All exploits are bugs and it should be harder to escalate priviledges |
| 3 |
> through perl than by introducing your own C. |
| 4 |
|
| 5 |
Clear, making use intensive under openbsd as you said. With 750 even |
| 6 |
with 700 root can stills using it, as in extension any software run by |
| 7 |
him. It's harder programming in python than in C? in python you can |
| 8 |
write exploits too, no it isn't harder. Any programmer can do it. |
| 9 |
|
| 10 |
> You are simplifying everything, security is a process. Noexec is a |
| 11 |
> useful tool. How much of what I said did you read. I understand your |
| 12 |
> points and most security has nothing to do with root. I understand root |
| 13 |
> can execute files chmodded 000 and I agree that RBAC is useful, the |
| 14 |
> point is so is noexec and systrace. |
| 15 |
|
| 16 |
Noexec is not usefull at all I give you the reason it does not |
| 17 |
controls scripts interpretation is a false sense of security. Is |
| 18 |
something like get a not executable stack without pax mprotect, it |
| 19 |
does nothing alone |
| 20 |
|
| 21 |
My system has no root, root has all capabilities in 0, so the same |
| 22 |
privileges as a normal user has, can't do ptrace to others process, |
| 23 |
can't read files not our, can't load modules etc etc etc. Every |
| 24 |
capability is removed. Check rsbac.org. With rbac even root can't |
| 25 |
access a program he has started. Read about rbac and when you get |
| 26 |
understood which it offers then told me what it can or what does not |
| 27 |
offers. |
| 28 |
|
| 29 |
Systrace is dead, the project is dead. It does not exists from long ago. |
| 30 |
> |
| 31 |
> No it doesn't it restricts root. An exploit may bypass RBAC it may |
| 32 |
> bypass mount restrictions it may bypass both it may only bypass one, in |
| 33 |
> which case they are both again useful. |
| 34 |
> |
| 35 |
> And OpenBSDs systrace can restrict a lot. System calls are the |
| 36 |
> hearts heart of an OS. |
| 37 |
|
| 38 |
I have said to you that rbac can make impossible to launch untrusted |
| 39 |
code (even exploits) executed and interpreted as in perl myperlscript. |
| 40 |
In one of my first mail I pointed you ways in that root can do harm |
| 41 |
and how rbac can avoid them. Root is not important because root is |
| 42 |
only important in DAC not in RBAC. Read the link I sen't to you before |
| 43 |
because you stills not understood this point. |
| 44 |
|
| 45 |
Yes an system dead long ago, and not it only do this: after this bind |
| 46 |
you can only get a listen. It gives not flexibility, granularity at |
| 47 |
all. |
Archives