On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
Can you say "root can only run this and that application when su'ed from
that guy, and may not open any net connection, but open this file and none
else" in OpenBSD? If so, how can I do it? :)
A couple of years is a long time, in terms of software, so I'd expect such
instabilities, if SELinux is the culprit, to be fixed.
But I won't deny it's learning curve is extremely steep. So steep indeed
that most of the time it's easier to have carefully laid out standard
unix permissions associated with sudo and specific users for specific
software.
The *need* for things like SELinux exists in some niche markets where
higher levels of security are necessary.
Remember: OpenBSD still doesn't have a digitally signed code distribution,
and in some places that means it can't enter! Stupid, I know, but not too
stupid for the "blame game" rules, which sort of ignore the "secure by
design" initiatives.
Rui
--
All Hail Discordia!
Today is Sweetmorn, the 47th day of Bureaucracy in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?