Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-hardened
Navigation:
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-hardened@g.o
From: Kevin Chadwick <ma1l1ists@...>
Subject: Re: New Server, considering hardened, need pointers to tfm...
Date: Wed, 14 Dec 2011 19:45:26 +0000
Javier Juan Martínez Cabezón wrote:

> there is not
> a magic button "switch_off" as SELINUX.

and yet previously

>> UID 0 can't switch off nothing only role admin can do it, and usually
>> is not UID 0, in rsbac is UID 400.

>> DAC WOULD NEVER be secure without RBAC.

and yet this is DAC with chroot

> but yeah it's clear that is nearly
> impossible to get a remote hole in coreutils because they audit his
> code.....

> I only correct your mistakes and try to avoid that the user gets
> confused by you,
> I have been all the thread showing that you noexec implemention does not
> work and exposed the reason about this and probable solutions. If you
> are blind about this don't try to extend your blindness to the user
> that wants suggestions.

It is dismissive people like you giving excuses to developers to lower
the default security of Linux for all those desktops who can't spend
time on security and for which noexec would and could have prevented
exploits from downloads to the home directory and from usbs and so udev
potentially violating companies policies of users not running arbitrary
windows programs.

I certainly can't see an end user editing selinux or rsbac and a small
chance of apparmor or rbac in order to run Enemy Territory Quake Wars
or whatever "backlash" reverted noexec from the default mount options.

noexec could have immediately quashed the rubbish like "linux is
vulnerable to viruses too" publicity when the ld.so bug was found,
potentially keeping some on windows.

noexec is not useless and I maintain that arbitrary C code is far more
dangerous than perl or shell. It would also be rediculously easy
for script interpreters to check for noexec and die, heck a wrapper that
checked and changed the egid then allowing perl execution could do it.

"Maybe it is pointless because of usbonthego and all the past bugs in
the usb code upon insertions" (sarcasm)

It is no coincidence that most successful attacks come from phishing
and duplicated passwords. A far cry from RSBAC.

If anyone is misleading anyone, it is you. OpenBSD works for
itself (developers), it does not care even about it's users, if I was
trying to get people to use it, I would and could have come up with
chapters, in fact I stopped myself and have again now. I wouldn't do
that, I don't have time to do that and respect the gentoo hardened
community, the only things I have mentioned are ones that I would like
Linux developers to take note of such as bug reduction in the Linux
kernel and making it easier to track them. OpenBSD is a big part of my
life and so it is bound to slip out when offering advice.

Have you ever disabled ipv6? We could certainly do with ipv5 (just more
addresses)

As you seem to have spent time developing your RSBAC policies and if
you have spent time with grsecs rbac. I would be interested in what you
see makes rsbac worth that extra time over grsec rbac and any good
documents for using them. It seems to me that rsbac is more robust but
takes more time to develop the policies.

Kc


References:
New Server, considering hardened, need pointers to tfm...
-- Tanstaafl
Re: New Server, considering hardened, need pointers to tfm...
-- Anthony G. Basile
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Re: New Server, considering hardened, need pointers to tfm...
-- Kevin Chadwick
Re: New Server, considering hardened, need pointers to tfm...
-- Javier Juan Martínez Cabezón
Navigation:
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: New Server, considering hardened, need pointers to tfm...
Next by thread:
Re: New Server, considering hardened, need pointers to tfm...
Previous by date:
Re: New Server, considering hardened, need pointers to tfm...
Next by date:
Meeting 2011-12-14 20:00UTC log


Updated Jun 28, 2012

Summary: Archive of the gentoo-hardened mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.