begin quoting Todd Walton as of Tue, Feb 01, 2005 at 08:18:00PM -0800: > On Tue, 1 Feb 2005 14:23:38 -0800, Stewart Stremler <[EMAIL PROTECTED]> wrote: > > begin quoting Todd Walton as of Tue, Feb 01, 2005 at 11:48:09AM -0800: > > > > > > Wow. That's a really good point. I hadn't thought of that. > > > > Well, it's an opinion. It has yet to be experimentally tested. > > Oh, yes, sorry. I was thinking of what your opinion necessarily > implied.
:) > That being that dumb users will create dumb programs and > dumb security. Is GNU/Linux (or even Unix in general) secure enough > that even inexperienced programmers can't write system-compromising > code? I don't think so. SELinux will probably go a long way towards that. > And to the extent that it *is*, will Linux > *stay* that way? Maybe not. It's commonplace for Red Hat, for > example, to make structural changes where they think it's appropriate. Users have to be able to do certain things, like install 3rd party software. So long as installing 3rd party software requires root access, there is a potential vulnerability that even SELinux can't protect against. > I tend to trust Red Hat (mostly), but what happens if the Linspires > of the world see a way to make Linux easy to use and follow Red Hat in > their tinkering? I don't trust Linspire in this regard. Linspire and friends are perhaps the extreme example of how to disregard security. I would *like* to see a system where: - the default is that any partition mounted exec is mounted ro, and any partition mounted rw is mounted noexec - it is trivially possible to set up a chroot-style jail without having to copy large numbers of files or to make a handful of of rebind mounts; this requires either statically-linked executables or new functionality in the kernel and user-tools. Specifically, I'd love to be able to write: % sandbox -rw $HOME/MozData -rw /tmp/Moz$$ mozilla & ...and run mozilla so that The Entire System is read-only for that process and _all_ processes created by that process and sub-processes, except for $HOME/MozData and a directory in /tmp -- this sort of thing could be put into an alias or scripts in $HOME/bin, and then eventually incorporated into a shell that would run _all_ programs in a sandbox by default. To make things simple, an option should be provided that makes the system *appear* to be read/write and/or running at UID 0, but writes to unauthorized parts of the system get redirected into a quarantine area. Running a sandboxed process inside another with broader permissions would _appear_ to work, but would automatically set up the quarantine area. It might be nice if there was an option to "overlay" that quarantine area on the filesystem for subsequent runs of the same or other programs. SELinux does *some* of this, I'm sure, but when I last look, it did so statically, not dynamically. - root access is not required to install non-core software; that is, software that is required to boot the system or which provides login capabilities requires root, and no other. - an installation mechanism that doesn't depend on arbitary scripts, tools, or programs supplied by the application being installed; if priveleged access is required, it should be done before invoking the installer, or by the system installer, not the installation script(s). The install does a very small part of this. - built-in tripwire-type capability that is simpler to setup, configure, maintain, and check. Presumably, you'd want to be able to write the database to a bootable CD that would check the system on startup, as a single step. Naturally when checking the system, *everything* would be mounted noexec. - guaranteed command-sequence to provide login prompt. Even Microsoft got this one right with Windows NT. It would be better if keyboards shipped with a key that killed the current session and brought up a trusted login prompt. (A useful exercise is to write a program that emulates the linux console login, obtains a username and password, emits a false error and/or "simulated core dump", and then exits to the real console login.) -Stewart "Don't want much." Stremler -- KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
