Re: [DNG] What does this remind you of?
Dr. Nikolaus Klepp wrote: >> I doubt this could be ever implemented correctly as you have to check >> every code path of every app you will armorize or as soon as your usage >> diverges from what the distro gurus have envisioned your program >> will stop working without even a warning. >> Next then we will need a uber-apparmor that checks apparmor safety >> and anyway more code more bugs less security. Why not fix the existing >> programs instead? > > The point is to delegate access control to a higher instance e.g. kernel. The > problem is, that apparmor looks at a program from the the outside and tries > to do the right thing with that black box - or what the profiles provider > thought was the right thing. > > OpenBSD has quite an interesting aproach with unveil ( > https://man.openbsd.org/unveil.2 ) and pledge ( > https://man.openbsd.org/pledge ). The programmer itself takes care what the > program will use and tells the system that what e.g. access privileges it > does not want to use from now on. That's the look at the world from the > inside, no black box involved. If you droped things, you can never get them > back, so evil hackers code is confined inside the same cage. As I see it, both approaches have merit. The downside of doing it inside the application is that you are then trusting the programmer to have got the protection code correct - when we are assuming the function of the protection code is to protect from the programmer's errors. Yes, dropping privileges is a good idea - as long as it's done reliably. The alternative of looking from the outside at a black box is that the person doing the looking was not the one building the black box. Thus while you lose the granularity possible when doing it from inside the box, you have created a separation of functions. I don't think either approach is "right" or "wrong" - but doing both would probably be best. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
Le 07/03/2021 à 18:20, tito via Dng a écrit : > On Sun, 7 Mar 2021 18:03:30 +0100 > Antony Stone wrote: > >> On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: >> >>> See this web page: >>> >>> https://en.wikipedia.org/wiki/Anti-pattern >>> >>> I'd say at least half of the listed anti-patterns are used by >>> systemd. >> Very nice. >> >> Antony. >> > Hi, > this makes me think of the times when you could startx > with IceWM on a 1.44 floppy disk. That was simplicity > and to a certain extent poetry. I personally would scrap: > dbus > consolekit > packagekit > policykit > systemd > apparmor > selinux > I am sure I've forgot some other garbage. > > P.S.: I'm open to new technologies.. > when they follow a simple rule: less code is better > as I can understand only as much code as fits > onto my screen. Ciao Tito, I would get rid of all the same if I could. I wrote it to this list several times, except apparmor I still don't know anything of - not installed Beowulf yet. And I don't think selinux is forced on anyone yet. But there is also this feature of file cappabilities and file extended attributes which started a decade ago and looks like a nightmare. -- Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
Anno domini 2021 Sun, 7 Mar 19:18:42 +0100 tito via Dng scripsit: > On Sun, 7 Mar 2021 19:11:18 +0100 > "d...@d404.nl" wrote: > > > On 07-03-2021 18:20, tito via Dng wrote: > > > On Sun, 7 Mar 2021 18:03:30 +0100 > > > Antony Stone wrote: > > > > > >> On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: > > >> > > >>> See this web page: > > >>> > > >>> https://en.wikipedia.org/wiki/Anti-pattern > > >>> > > >>> I'd say at least half of the listed anti-patterns are used by > > >>> systemd. > > >> Very nice. > > >> > > >> Antony. > > >> > > > Hi, > > > this makes me think of the times when you could startx > > > with IceWM on a 1.44 floppy disk. That was simplicity > > > and to a certain extent poetry. I personally would scrap: > > > dbus > > > consolekit > > > packagekit > > > policykit > > > systemd > > > apparmor > > > selinux > > > I am sure I've forgot some other garbage. > > > > > > P.S.: I'm open to new technologies.. > > > when they follow a simple rule: less code is better > > > as I can understand only as much code as fits > > > onto my screen. > > > > > > Ciao, > > > Tito > > > > Hi, > > > > Mostly agree with you and in its current state apparmor belongs to > > this list. In the same time I like the idea of apparmor in limiting > > apps behavior. It could be most useful if implemented correctly. > > > > Grtz. > > > > Nick > > > > > > Hi, > I doubt this could be ever implemented correctly as you have to check > every code path of every app you will armorize or as soon as your usage > diverges from what the distro gurus have envisioned your program > will stop working without even a warning. > Next then we will need a uber-apparmor that checks apparmor safety > and anyway more code more bugs less security. Why not fix the existing > programs instead? The point is to delegate access control to a higher instance e.g. kernel. The problem is, that apparmor looks at a program from the the outside and tries to do the right thing with that black box - or what the profiles provider thought was the right thing. OpenBSD has quite an interesting aproach with unveil ( https://man.openbsd.org/unveil.2 ) and pledge ( https://man.openbsd.org/pledge ). The programmer itself takes care what the program will use and tells the system that what e.g. access privileges it does not want to use from now on. That's the look at the world from the inside, no black box involved. If you droped things, you can never get them back, so evil hackers code is confined inside the same cage. Nik > > Ciao, > Tito > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
See https://wiki.ubuntu.com/AppArmor for a explanation. Ubuntu? What's that? Is that the thing they use in North America 'cause they never heard of Debian? There is https://wiki.debian.org/AppArmor too, it seems (never read it). Bernard (Beer) Rosset https://rosset.net/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
On 07-03-2021 19:22, Marc Shapiro via Dng wrote: > > What does apparmor actually do? It was installed on my system as a > Recommends for my kernel (linux-image-4.19.0-14-amd64), but I get > warnings of some type every time I reboot (which I don't do often, so > I can't say just what the warnings are). Is there any reason to keep > it installed? Or can I just uninstall it? > > Marc > > On 3/7/21 10:11 AM, d...@d404.nl wrote: >> On 07-03-2021 18:20, tito via Dng wrote: >>> On Sun, 7 Mar 2021 18:03:30 +0100 >>> Antony Stone wrote: >>> On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: > See this web page: > > https://en.wikipedia.org/wiki/Anti-pattern > > I'd say at least half of the listed anti-patterns are used by > systemd. Very nice. Antony. >>> Hi, >>> this makes me think of the times when you could startx >>> with IceWM on a 1.44 floppy disk. That was simplicity >>> and to a certain extent poetry. I personally would scrap: >>> dbus >>> consolekit >>> packagekit >>> policykit >>> systemd >>> apparmor >>> selinux >>> I am sure I've forgot some other garbage. >>> >>> P.S.: I'm open to new technologies.. >>> when they follow a simple rule: less code is better >>> as I can understand only as much code as fits >>> onto my screen. >>> >>> Ciao, >>> Tito >> Hi, >> >> Mostly agree with you and in its current state apparmor belongs to this >> list. In the same time I like the idea of apparmor in limiting apps >> behavior. It could be most useful if implemented correctly. >> >> Grtz. >> >> Nick >> >> See https://wiki.ubuntu.com/AppArmor for a explanation. Grz. Nick signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
What does apparmor actually do? It was installed on my system as a Recommends for my kernel (linux-image-4.19.0-14-amd64), but I get warnings of some type every time I reboot (which I don't do often, so I can't say just what the warnings are). Is there any reason to keep it installed? Or can I just uninstall it? Marc On 3/7/21 10:11 AM, d...@d404.nl wrote: On 07-03-2021 18:20, tito via Dng wrote: On Sun, 7 Mar 2021 18:03:30 +0100 Antony Stone wrote: On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: See this web page: https://en.wikipedia.org/wiki/Anti-pattern I'd say at least half of the listed anti-patterns are used by systemd. Very nice. Antony. Hi, this makes me think of the times when you could startx with IceWM on a 1.44 floppy disk. That was simplicity and to a certain extent poetry. I personally would scrap: dbus consolekit packagekit policykit systemd apparmor selinux I am sure I've forgot some other garbage. P.S.: I'm open to new technologies.. when they follow a simple rule: less code is better as I can understand only as much code as fits onto my screen. Ciao, Tito Hi, Mostly agree with you and in its current state apparmor belongs to this list. In the same time I like the idea of apparmor in limiting apps behavior. It could be most useful if implemented correctly. Grtz. Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
On Sun, 7 Mar 2021 19:11:18 +0100 "d...@d404.nl" wrote: > On 07-03-2021 18:20, tito via Dng wrote: > > On Sun, 7 Mar 2021 18:03:30 +0100 > > Antony Stone wrote: > > > >> On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: > >> > >>> See this web page: > >>> > >>> https://en.wikipedia.org/wiki/Anti-pattern > >>> > >>> I'd say at least half of the listed anti-patterns are used by > >>> systemd. > >> Very nice. > >> > >> Antony. > >> > > Hi, > > this makes me think of the times when you could startx > > with IceWM on a 1.44 floppy disk. That was simplicity > > and to a certain extent poetry. I personally would scrap: > > dbus > > consolekit > > packagekit > > policykit > > systemd > > apparmor > > selinux > > I am sure I've forgot some other garbage. > > > > P.S.: I'm open to new technologies.. > > when they follow a simple rule: less code is better > > as I can understand only as much code as fits > > onto my screen. > > > > Ciao, > > Tito > > Hi, > > Mostly agree with you and in its current state apparmor belongs to > this list. In the same time I like the idea of apparmor in limiting > apps behavior. It could be most useful if implemented correctly. > > Grtz. > > Nick > > Hi, I doubt this could be ever implemented correctly as you have to check every code path of every app you will armorize or as soon as your usage diverges from what the distro gurus have envisioned your program will stop working without even a warning. Next then we will need a uber-apparmor that checks apparmor safety and anyway more code more bugs less security. Why not fix the existing programs instead? Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
On 07-03-2021 18:20, tito via Dng wrote: > On Sun, 7 Mar 2021 18:03:30 +0100 > Antony Stone wrote: > >> On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: >> >>> See this web page: >>> >>> https://en.wikipedia.org/wiki/Anti-pattern >>> >>> I'd say at least half of the listed anti-patterns are used by >>> systemd. >> Very nice. >> >> Antony. >> > Hi, > this makes me think of the times when you could startx > with IceWM on a 1.44 floppy disk. That was simplicity > and to a certain extent poetry. I personally would scrap: > dbus > consolekit > packagekit > policykit > systemd > apparmor > selinux > I am sure I've forgot some other garbage. > > P.S.: I'm open to new technologies.. > when they follow a simple rule: less code is better > as I can understand only as much code as fits > onto my screen. > > Ciao, > Tito Hi, Mostly agree with you and in its current state apparmor belongs to this list. In the same time I like the idea of apparmor in limiting apps behavior. It could be most useful if implemented correctly. Grtz. Nick signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
On Sun, 7 Mar 2021 18:03:30 +0100 Antony Stone wrote: > On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: > > > See this web page: > > > > https://en.wikipedia.org/wiki/Anti-pattern > > > > I'd say at least half of the listed anti-patterns are used by > > systemd. > > Very nice. > > Antony. > Hi, this makes me think of the times when you could startx with IceWM on a 1.44 floppy disk. That was simplicity and to a certain extent poetry. I personally would scrap: dbus consolekit packagekit policykit systemd apparmor selinux I am sure I've forgot some other garbage. P.S.: I'm open to new technologies.. when they follow a simple rule: less code is better as I can understand only as much code as fits onto my screen. Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What does this remind you of?
On Sunday 07 March 2021 at 17:59:22, Steve Litt wrote: > See this web page: > > https://en.wikipedia.org/wiki/Anti-pattern > > I'd say at least half of the listed anti-patterns are used by systemd. Very nice. Antony. -- I bought a book about anti-gravity. The reviews say you can't put it down. Please reply to the list; please *don't* CC me. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] What does this remind you of?
See this web page: https://en.wikipedia.org/wiki/Anti-pattern I'd say at least half of the listed anti-patterns are used by systemd. SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng