| 1 |
On Mon, 12 Dec 2011 20:44:37 +0100 |
| 2 |
Javier Juan Martínez Cabezón wrote: |
| 3 |
|
| 4 |
> ¿What can't you understand that you CAN translate one exploit in C in perl? |
| 5 |
> |
| 6 |
> Are you joking? any user can write in their home directories their own |
| 7 |
> perl exploits. You can't restrict that. |
| 8 |
|
| 9 |
|
| 10 |
You know you can. No perl binary, or chmod 750 or rbac as I had said. |
| 11 |
All exploits are bugs and it should be harder to escalate priviledges |
| 12 |
through perl than by introducing your own C. |
| 13 |
|
| 14 |
|
| 15 |
> You can only restrict them |
| 16 |
> under rbac which scripts can be interpreted even for root, removing |
| 17 |
> execution to perl binary doesn't solve anything, because root can |
| 18 |
> still using it. |
| 19 |
> |
| 20 |
|
| 21 |
You are simplifying everything, security is a process. Noexec is a |
| 22 |
useful tool. How much of what I said did you read. I understand your |
| 23 |
points and most security has nothing to do with root. I understand root |
| 24 |
can execute files chmodded 000 and I agree that RBAC is useful, the |
| 25 |
point is so is noexec and systrace. |
| 26 |
|
| 27 |
|
| 28 |
> I think that you don't understand the term rbac, rbac removes root. |
| 29 |
> ROOT doesn't exists anymore. |
| 30 |
> Before talking what rbac does or not first read a bit what is it |
| 31 |
> because you don't understand it. Here you has info: |
| 32 |
|
| 33 |
No it doesn't it restricts root. An exploit may bypass RBAC it may |
| 34 |
bypass mount restrictions it may bypass both it may only bypass one, in |
| 35 |
which case they are both again useful. |
| 36 |
|
| 37 |
And OpenBSDs systrace can restrict a lot. System calls are the |
| 38 |
hearts heart of an OS. |
Archives