Re: harden-clients idea
On Wed, 9 Oct 2002, Jean-Francois Dive wrote:
> i reckon that the real point is: if your users have access to the network
> from their account with whatever tools or have access to an editor and gcc,
> all of your efforts are gone: just need to use your own copy of whatever_tool_they_like.
If you realy want to harden this kind of threats, then take a look at
rsbac (www.rsbac.org). As of version 1.2 there is support for network
RSBAC is designed to control access to programs (system calls). So it is
possible to define a set of rules that allow some programs used by some
people. Programs they compile themself (why not deny them access to
make/cc/gcc/etc.) aren't going to run because you didn't defined it.
Paul Vixie in an interview with Sendmail.net:
Now that the Internet has the full spectrum of humanity as users,
the technology is showing its weakness: it was designed to be
used by friendly, smart people. Spammers, as an example of a class,
are neither friendly nor smart.