> On Feb 28, 2017, at 04:32, Brandon Allbery <[email protected]> wrote: > > On Tue, Feb 28, 2017 at 5:07 AM, René J.V. Bertin <[email protected]> wrote: > On Monday February 27 2017 12:00:26 [email protected] wrote: >> ...or maybe they "just" need "a dozen" years of work. Darwin isn't Linux; >> SIP isn't SElinux: things don't carry over. > > With Apple's resources you'd hope it wouldn't take them a dozen years... > > SElinux is just a variant of a known and relatively well understood > technology (ruleset-based labeled mandatory access control). Apple took a > different and I think rather less well understood path; they may well be > blazing new trails in security... which is tricky even with well understood > tech. And "well understood", in the context of security, isn't very; for > everything known, there's a huge area of shadows and thick fog explored so > far only by the black hats (including the likes of NSA), and not very far > even by them. > >> If you really need to pass through such envvars, just don't use a system >> shell. > > Like installing a shell through MacPorts or similar and setting that as your > login shell? Won't such shells have limited permissions because they haven't > been ratified officially? > > Oddly enough, no. You can even copy /bin/sh to a different path and run it > and it will lose many of its protections (recent MacPorts trace mode even > knows and uses this!). An example of what I said above. Seems an odd way to > do things to me, and I'm far from being a security expert.
You can also install /usr/local/bin/sh (as zsh or some newer GPLv3 bash or pdksh if that's your schtick) and setup your scripts to use '#!/usr/bin/env sh' instead of '#!/bin/sh' --Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Do not post admin requests to the list. They will be ignored. X11-users mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/x11-users/archive%40mail-archive.com This email sent to [email protected]
