| 1 |
On Tue, Nov 25, 2008 at 08:00, Jan Klod <janklodvan@×××××.com> wrote: |
| 2 |
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a |
| 3 |
> workstation with Xorg and other nice KDE apps (only some of which should be |
| 4 |
> granted access to files in folder X). I would like to read others opinion, if |
| 5 |
> I can get considerable security improvements or I will have to make that much |
| 6 |
> of exceptions to those good rules, as it makes protection too useless? |
| 7 |
|
| 8 |
KDE (and to a lesser extent X) pretty much nullifies most application |
| 9 |
isolation efforts you're going to make. Even if you ran each |
| 10 |
application under a dedicated user and in its own chroot environment, |
| 11 |
the GUI provides IPC facilites that will readily bypass all your hard |
| 12 |
effort. As with your other email, clicking a link in one app opens a |
| 13 |
browser window in another, regardless of what user separation you |
| 14 |
might have - KDE does this under the covers, since it's what most |
| 15 |
users would actually want, but you perceive it as a security breach. |
| 16 |
|
| 17 |
"Extra precautions" is incredibly nebulous and you won't get much help |
| 18 |
in security circles unless you have specific, addressable concerns. |
| 19 |
You can do all the hardening you want, but generally speaking the more |
| 20 |
user-friendly and complex your system is the more security concessions |
| 21 |
you are going to have to make. |
Archives