On Tue, Nov 25, 2008 at 08:00, Jan Klod <[EMAIL PROTECTED]> wrote: > Suppose, I want to take some extra precautions and set up PaX&co and MAC on a > workstation with Xorg and other nice KDE apps (only some of which should be > granted access to files in folder X). I would like to read others opinion, if > I can get considerable security improvements or I will have to make that much > of exceptions to those good rules, as it makes protection too useless?
KDE (and to a lesser extent X) pretty much nullifies most application isolation efforts you're going to make. Even if you ran each application under a dedicated user and in its own chroot environment, the GUI provides IPC facilites that will readily bypass all your hard effort. As with your other email, clicking a link in one app opens a browser window in another, regardless of what user separation you might have - KDE does this under the covers, since it's what most users would actually want, but you perceive it as a security breach. "Extra precautions" is incredibly nebulous and you won't get much help in security circles unless you have specific, addressable concerns. You can do all the hardening you want, but generally speaking the more user-friendly and complex your system is the more security concessions you are going to have to make.
