1 |
On Mon, 12 Dec 2011 20:44:37 +0100 |
2 |
Javier Juan Martínez Cabezón wrote: |
3 |
|
4 |
> ¿What can't you understand that you CAN translate one exploit in C in perl? |
5 |
> |
6 |
> Are you joking? any user can write in their home directories their own |
7 |
> perl exploits. You can't restrict that. |
8 |
|
9 |
|
10 |
You know you can. No perl binary, or chmod 750 or rbac as I had said. |
11 |
All exploits are bugs and it should be harder to escalate priviledges |
12 |
through perl than by introducing your own C. |
13 |
|
14 |
|
15 |
> You can only restrict them |
16 |
> under rbac which scripts can be interpreted even for root, removing |
17 |
> execution to perl binary doesn't solve anything, because root can |
18 |
> still using it. |
19 |
> |
20 |
|
21 |
You are simplifying everything, security is a process. Noexec is a |
22 |
useful tool. How much of what I said did you read. I understand your |
23 |
points and most security has nothing to do with root. I understand root |
24 |
can execute files chmodded 000 and I agree that RBAC is useful, the |
25 |
point is so is noexec and systrace. |
26 |
|
27 |
|
28 |
> I think that you don't understand the term rbac, rbac removes root. |
29 |
> ROOT doesn't exists anymore. |
30 |
> Before talking what rbac does or not first read a bit what is it |
31 |
> because you don't understand it. Here you has info: |
32 |
|
33 |
No it doesn't it restricts root. An exploit may bypass RBAC it may |
34 |
bypass mount restrictions it may bypass both it may only bypass one, in |
35 |
which case they are both again useful. |
36 |
|
37 |
And OpenBSDs systrace can restrict a lot. System calls are the |
38 |
hearts heart of an OS. |