Stewart Stremler wrote:
begin quoting Todd Walton as of Tue, Feb 01, 2005 at 08:18:00PM -0800:
On Tue, 1 Feb 2005 14:23:38 -0800, Stewart Stremler <[EMAIL PROTECTED]> wrote:
begin quoting Todd Walton as of Tue, Feb 01, 2005 at 11:48:09AM -0800:Oh, yes, sorry. I was thinking of what your opinion necessarily
Wow. That's a really good point. I hadn't thought of that.Well, it's an opinion. It has yet to be experimentally tested.
implied.
:)
That being that dumb users will create dumb programs and
dumb security. Is GNU/Linux (or even Unix in general) secure enough
that even inexperienced programmers can't write system-compromising
code? I don't think so.
SELinux will probably go a long way towards that.
And to the extent that it *is*, will Linux
*stay* that way? Maybe not. It's commonplace for Red Hat, for
example, to make structural changes where they think it's appropriate.
Users have to be able to do certain things, like install 3rd party software. So long as installing 3rd party software requires root access, there is a potential vulnerability that even SELinux can't
protect against.
I tend to trust Red Hat (mostly), but what happens if the Linspires
of the world see a way to make Linux easy to use and follow Red Hat in
their tinkering? I don't trust Linspire in this regard.
Linspire and friends are perhaps the extreme example of how to disregard security.
I would *like* to see a system where:
- the default is that any partition mounted exec is mounted ro, and any partition mounted rw is mounted noexec
- root access is not required to install non-core software; that is, software that is required to boot the system or which provides login
capabilities requires root, and no other.
I realize that KeyKOS has been replaced. But from what I was reading about it, that sounds kinda like what you are wishing for here. I recall that you chief objection to it was the persistent state. But that aside, I think you would probably like the rest of it.
- guaranteed command-sequence to provide login prompt. Even Microsoft
got this one right with Windows NT. It would be better if keyboards
shipped with a key that killed the current session and brought up a
trusted login prompt. (A useful exercise is to write a program that
emulates the linux console login, obtains a username and password,
emits a false error and/or "simulated core dump", and then exits to
the real console login.)
This last bulleted item is the only one I did not follow.
-Stewart "Don't want much." Stremler
--
KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
