1 |
On Tue, Nov 25, 2008 at 08:00, Jan Klod <janklodvan@×××××.com> wrote: |
2 |
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a |
3 |
> workstation with Xorg and other nice KDE apps (only some of which should be |
4 |
> granted access to files in folder X). I would like to read others opinion, if |
5 |
> I can get considerable security improvements or I will have to make that much |
6 |
> of exceptions to those good rules, as it makes protection too useless? |
7 |
|
8 |
KDE (and to a lesser extent X) pretty much nullifies most application |
9 |
isolation efforts you're going to make. Even if you ran each |
10 |
application under a dedicated user and in its own chroot environment, |
11 |
the GUI provides IPC facilites that will readily bypass all your hard |
12 |
effort. As with your other email, clicking a link in one app opens a |
13 |
browser window in another, regardless of what user separation you |
14 |
might have - KDE does this under the covers, since it's what most |
15 |
users would actually want, but you perceive it as a security breach. |
16 |
|
17 |
"Extra precautions" is incredibly nebulous and you won't get much help |
18 |
in security circles unless you have specific, addressable concerns. |
19 |
You can do all the hardening you want, but generally speaking the more |
20 |
user-friendly and complex your system is the more security concessions |
21 |
you are going to have to make. |