1 |
> You know you can. No perl binary, or chmod 750 or rbac as I had said. |
2 |
> All exploits are bugs and it should be harder to escalate priviledges |
3 |
> through perl than by introducing your own C. |
4 |
|
5 |
Clear, making use intensive under openbsd as you said. With 750 even |
6 |
with 700 root can stills using it, as in extension any software run by |
7 |
him. It's harder programming in python than in C? in python you can |
8 |
write exploits too, no it isn't harder. Any programmer can do it. |
9 |
|
10 |
> You are simplifying everything, security is a process. Noexec is a |
11 |
> useful tool. How much of what I said did you read. I understand your |
12 |
> points and most security has nothing to do with root. I understand root |
13 |
> can execute files chmodded 000 and I agree that RBAC is useful, the |
14 |
> point is so is noexec and systrace. |
15 |
|
16 |
Noexec is not usefull at all I give you the reason it does not |
17 |
controls scripts interpretation is a false sense of security. Is |
18 |
something like get a not executable stack without pax mprotect, it |
19 |
does nothing alone |
20 |
|
21 |
My system has no root, root has all capabilities in 0, so the same |
22 |
privileges as a normal user has, can't do ptrace to others process, |
23 |
can't read files not our, can't load modules etc etc etc. Every |
24 |
capability is removed. Check rsbac.org. With rbac even root can't |
25 |
access a program he has started. Read about rbac and when you get |
26 |
understood which it offers then told me what it can or what does not |
27 |
offers. |
28 |
|
29 |
Systrace is dead, the project is dead. It does not exists from long ago. |
30 |
> |
31 |
> No it doesn't it restricts root. An exploit may bypass RBAC it may |
32 |
> bypass mount restrictions it may bypass both it may only bypass one, in |
33 |
> which case they are both again useful. |
34 |
> |
35 |
> And OpenBSDs systrace can restrict a lot. System calls are the |
36 |
> hearts heart of an OS. |
37 |
|
38 |
I have said to you that rbac can make impossible to launch untrusted |
39 |
code (even exploits) executed and interpreted as in perl myperlscript. |
40 |
In one of my first mail I pointed you ways in that root can do harm |
41 |
and how rbac can avoid them. Root is not important because root is |
42 |
only important in DAC not in RBAC. Read the link I sen't to you before |
43 |
because you stills not understood this point. |
44 |
|
45 |
Yes an system dead long ago, and not it only do this: after this bind |
46 |
you can only get a listen. It gives not flexibility, granularity at |
47 |
all. |