On 9/24/07, Martin Schrvder [EMAIL PROTECTED] wrote:
2007/9/24, Joachim Schipper [EMAIL PROTECTED]:
Sure it does, just pull from CVS over SSH and compile your own. Only
Where do I get the ssh fingerprints of the CVS servers?
Where do you get the public keys for the digitally signed
Sure it does, just pull from CVS over SSH and compile your own. Only
Where do I get the ssh fingerprints of the CVS servers?
http://www.openbsd.org/anoncvs.html#CVSROOT, of course.
Not all are listed, but one can either use one that needs verified or
contact the maintainer for a correct
In all my experience, every single complex security policy I've seen
has very serious issues. Complexity kills it. There's always a scenario
somewhere that someone has forgotten about that breaks stuff.
Heck, this even happens with access control systems like PAM. About every
3 months, we hear
Just for the fun of it, some people subscribe to misc@ from politically
correct accounts.
So, I got a bounce on my last email, because I was saying that complex
security ACLs were fucked up by design.
This email is probably going to get blocked too, which is all that they
deserve.
Fucking
On 23/09/2007, at 3:38 AM, Ihar Hrachyshka wrote:
The problem of Linux as a whole is that it tries to resolve security
problems not by auditing code but by implementing SELinux.
That is a really interesting statement.
But what
the problem would be if OpenBSD has SeBSD extension? It's just
On Tue, 25 Sep 2007 00:08:15 +1000, David Gwynne [EMAIL PROTECTED] wrote:
What I'm trying to say is that all the services I listed before make
their own little SELinux layer with appropriate policy built into
them. Better than SELinux though is that the monitor is enabled by
default and
On 9/22/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
Could someone who knows both the details of OBSDs security enhancements
and the details of SELinux comment?
A capsule summary of the situation is:
OpenBSD aims to improve security by taking advantage of easy-to-use,
hard-to-disable,
2007/9/24, Joachim Schipper [EMAIL PROTECTED]:
Sure it does, just pull from CVS over SSH and compile your own. Only
Where do I get the ssh fingerprints of the CVS servers?
And if I use cvsync, where do I get fingerprints?
Best
Martin
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Martin Schrvder
Sent: Monday, September 24, 2007 11:18 AM
To: misc@openbsd.org
Subject: Re: digitally signed distribution (was: OBSD's
perspective on SELinux)
2007/9/24, Joachim Schipper [EMAIL
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
compact OS done by folks you can trust and actually talk to, use OBSD; if
you want
On Mon, Sep 24, 2007 at 05:18:05PM +0200, Martin Schr?der wrote:
2007/9/24, Joachim Schipper [EMAIL PROTECTED]:
Sure it does, just pull from CVS over SSH and compile your own. Only
Where do I get the ssh fingerprints of the CVS servers?
And if I use cvsync, where do I get fingerprints?
2007/9/24, Wade, Daniel [EMAIL PROTECTED]:
Where do I get the ssh fingerprints of the CVS servers?
And if I use cvsync, where do I get fingerprints?
http://www.openbsd.org/anoncvs.html#CVSROOT
Thanks. It's not complete (i.e. not all servers have fingerprints),
but a start.
This doesn't
2007/9/24, Gilles Chehade [EMAIL PROTECTED]:
You can fingerprint the tarballs and compare against the ones on the CD
you bought to support the project ? :-)
I can.
But can we agree that packages are not digitally signed, patches are
not digitally signed and the methods used to distribute
Hi,
On Mon, Sep 24, 2007 at 04:31:22PM +0100, Brian Candler wrote:
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
compact OS done
On 9/23/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
Can you say root can only run this and that application when su'ed from
that guy, and may not open any net connection, but open this file and none
else in OpenBSD? If so, how can I do it? :)
man 4 systrace
On Mon, 24 Sep 2007, Martin Schrvder wrote:
But can we agree that packages are not digitally signed, patches are
not digitally signed and the methods used to distribute sources online
also don't use digital signatures? And that md5/sha1 and pgp are older
than OBSD?
I just wanted to add that
Ted Unangst wrote:
On 9/23/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
Can you say root can only run this and that application when su'ed from
that guy, and may not open any net connection, but open this file and none
else in OpenBSD? If so, how can I do it? :)
man 4 systrace
On 24.09-10:25, Jason Dixon wrote:
[ ... ]
What I'm trying to say is that all the services I listed before make
their own little SELinux layer with appropriate policy built into
them. Better than SELinux though is that the monitor is enabled by
default and generally can't be turned off.
Rui Miguel Silva Seabra wrote:
Hi,
On Mon, Sep 24, 2007 at 04:31:22PM +0100, Brian Candler wrote:
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
OBSD is UNIX, .. SELinux is Linux. If you want a
On 9/24/07, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote:
Ted Unangst wrote:
On 9/23/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
Can you say root can only run this and that application when su'ed from
that guy, and may not open any net connection, but open this file and none
else
On 24.09-11:49, Can E. Acar wrote:
[ ... ]
The guy can be some stupid binary software with an if(uid!=root) bail();
People running arbitrary binary software requiring root on their systems
deserve what they get. You can not work around this stupidity by ANY policy.
that is not the case and
On 9/24/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On 24.09-11:49, Can E. Acar wrote:
[ ... ]
The guy can be some stupid binary software with an if(uid!=root) bail();
People running arbitrary binary software requiring root on their systems
deserve what they get. You can not work
On Mon, Sep 24, 2007 at 11:49:20AM -0700, Can E. Acar wrote:
In security, complex != good.
Yes, which is one of the reasons I personally believe Visa's PCI is an
extortion sham.
However, some hugely influential entities happen to require those
complexities, and no reason on the world will
The guy can be some stupid binary software with an if(uid!=root) bail();
People running arbitrary binary software requiring root on their systems
deserve what they get. You can not work around this stupidity by ANY policy.
that is not the case and is, in fact, the entire point of
On 24.09-13:48, Darren Spruell wrote:
[ ... ]
Oh, that sounds like a recipe for success.
- Run _arbitrary_ _binary_ application on system. Intend to use policy
wrapper to restrict to allowed operations.
exactly, if the application cannot run within the defined policies it
will not be allowed
On 24.09-14:28, Luke Bakken wrote:
[ ... ]
Intelligent sysadmins know every setuid binary on their system.
Unintelligent ones get owned.
you'll forgive me if this does not sound intelligent to me. a
consiencous sysadmin looks at the requirements and picks the best
tools to match. in the vast
[EMAIL PROTECTED] wrote:
On 24.09-13:48, Darren Spruell wrote:
[ ... ]
Oh, that sounds like a recipe for success.
- Run _arbitrary_ _binary_ application on system. Intend to
use policy
wrapper to restrict to allowed operations.
exactly, if the application cannot run within the
On 9/24/07, Tony Abernethy [EMAIL PROTECTED] wrote:
snip
Burroughs Computers essentially went out of business because their
computers refused to do illegal operations
This is ironic considering that Burroughs Corp was founded by William
S. Burroughs' grandfather ;-)
On Sat, 22 Sep 2007, Douglas A. Tutty wrote:
Hello all,
I'm running OBSD on my older boxes but still Debian on my big box (not
ready yet).
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on
Burroughs Computers essentially went out of business because their
computers refused to do illegal operations while IBM's computers
very happily did all sorts of illegal stuff.
Way off topic here... Burroughs became part of Unisys and the
architecture that refused to do illegal operations
On Sat, Sep 22, 2007 at 08:38:17PM +0300, Ihar Hrachyshka wrote:
The problem of Linux as a whole is that it tries to resolve security
problems not by auditing code but by implementing SELinux. But what
the problem would be if OpenBSD has SeBSD extension?
I think the nearest equivalent is
On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
compact OS done by folks you can trust and actually talk to, use OBSD; if
you want 'fairly secure Linux' [which has had thousands of hand in it
including NSA, as
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
Remember: OpenBSD still doesn't have a digitally signed code distribution,
and in some places that means it can't enter! Stupid, I know, but not too
stupid for the blame game rules, which sort of ignore the secure by
On Mon, Sep 24, 2007 at 12:35:54AM +0200, Joachim Schipper wrote:
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
Remember: OpenBSD still doesn't have a digitally signed code distribution,
and in some places that means it can't enter! Stupid, I know, but not too
Hello all,
I'm running OBSD on my older boxes but still Debian on my big box (not
ready yet).
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet. The whole focus seems to be to make
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet. The whole focus seems to be to make Linux
more secure. I'm not
On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet. The whole
On 9/23/07, Jason Dixon [EMAIL PROTECTED] wrote:
On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Hello all,
I'm running OBSD on my older boxes but still Debian on my big box (not
ready yet).
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux
2007/9/22, Joachim Schipper [EMAIL PROTECTED]:
The OpenBSD developers are trying to make the most secure UNIX system
they can; SELinux might or might not be secure, but it's not UNIX.
What part of SELinux is NOT Unix? Remember that all traditional Unix
rwx permissions are still there.
Hi,
You might be talking about grsecurity and PaX [1]. SELinux hooks
through the LSM [2] framework. LSM was designed to be easily enabled
and disabled, so that should be a fundamental flaw. LSM has valid
criticisms [3] [4].
[1] http://grsecurity.net
[2]
On Sat, Sep 22, 2007 at 12:20:34PM -0400, Jason Dixon wrote:
On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although
2007/9/22, Douglas A. Tutty [EMAIL PROTECTED]:
On Sat, Sep 22, 2007 at 12:20:34PM -0400, Jason Dixon wrote:
On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead
On Sep 22, 2007, at 12:28 PM, Ihar Hrachyshka [EMAIL PROTECTED]
wrote:
2007/9/22, Jason Dixon [EMAIL PROTECTED]:
On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Linux has SELinux in its 2.6 kernel and debian has gone
SELinux has clearly defined security mechanisms implemented through
different components. It is doing what it was designed for. The real
problem with SELinux is the way it hooks to the Linux kernel. The
inaccurate marketing of this tool doesn't help too, unsuspecting users
are blindly using it as
On 9/22/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet.
rhetorical question: why aren't the policies ready?
the problem with security
On 2007/09/22 11:50, Ted Unangst wrote:
exercise for the reader: find somebody using SELinux.
From what I've seen, 9 times/10, they'll only know they're using
it if they had to disable it to fix an app with a broken policy...
On Sat, Sep 22, 2007 at 11:50:08AM -0700, Ted Unangst wrote:
On 9/22/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet.
rhetorical
On Sat, Sep 22, 2007 at 07:45:57PM +0300, Ihar Hrachyshka wrote:
2007/9/22, Joachim Schipper [EMAIL PROTECTED]:
The OpenBSD developers are trying to make the most secure UNIX system
they can; SELinux might or might not be secure, but it's not UNIX.
What part of SELinux is NOT Unix? Remember
On 22.09-16:21, Douglas A. Tutty wrote:
[ ... ]
exercise for the reader: find somebody using SELinux. ask them to
describe their policy over the phone. then repeat it back to them.
did you get it right?
[ ... ] In other words, since debian packages, by policy, must
just work on
On Sat, 22 Sep 2007, Douglas A. Tutty wrote:
Hello all,
I'm running OBSD on my older boxes but still Debian on my big box (not
ready yet).
Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on
The first thing people do when they run with SELinux is disabling it.
You decide how great it is.
On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
Hello all,
I'm running OBSD on my older boxes but still Debian on my big box (not
ready yet).
Linux has SELinux in its 2.6
52 matches
Mail list logo