On Tuesday 25 November 2008 19:58:42 RB wrote: > KDE (and to a lesser extent X) pretty much nullifies most application > isolation efforts you're going to make.
Actually, that sound like there is practically no way to keep networked workstation really secure. Sure, is not trivial to gain root access through software bugs (interesting, how many list member would be able to do it?), but no one running X can claim, he has absolutely secure system, which can't fail him regardless to who is the hacker. Furthermore, the system is said to be only as secure as the weakest part, so making hardened server will only slow down attacks and, at most, ensure server stability. Still, if there is someone ready to attack servers end clients (which ones will almost always have X running), the way can be open. Can someone explain how would it happen, the exploitation of buffer overflow in X? How would attacker gain access to X bug most importantly? What are those ways for other apps? Always different? And have there been any efforts to make PaX enabled X? Personally, I think, the best way would be using firewall to allow only the most necessary addresses, which point to trusted services (mail,sftp,...). That said, web browsing is cut off. As a conclusion of what I have read this far I can state: hardened OS is useless for non-server. Would that be too much? Well, I think, in a "black and white" no. (later is a discussion of what is better: to have 3 holes or 300) Comments?
