Re: Attempts at security (was Re: Draft spec for new dpkg "triggers" feature)
On Saturday 03 February 2007 23:47, Hendrik Sattler
> > It's disabled by default, unlike in Fedora and Red Hat Enterprise Linux
> > where it's on by default. I believe that the latest release of SUSE has
> > AppArmor on by default.
> RedHat has a long history of strange decisions.
Red Hat has a long history of making Linux easy to use. Try using Fedora and
Debian for the same sys-admin tasks and compare. You will discover that
right from the install Fedora is a lot easier. Of course the Debian
installer gives many options that the Fedora installer doesn't (degraded RAID
arrays and encrypted block devices as two examples), but it's a lot harder to
The "targeted" SE Linux policy was developed because the "strict" policy was
too difficult to use for most of the Fedora user-base.
> > You claim that almost all the examples I gave have problems. Please
> > explain the problems that you believe to be in exec-shield, PIE, and
> > poly-instantiated directories. Make sure that they are real examples not
> > "a program might have some problem" claims.
>l Does X already work with it? Mplayer is also name there and thus probably
> xine (using these win32-DLLs), too? How about things like Mono?
I don't recall anyone seriously suggesting compiling all programs with PIE,
just the ones that are likely to be attacked.
Mplayer does many nasty things (such as loading Windows DLLs). You can expect
it to have problems that other programs don't have.
> Exec-shield is related to it, AFAIK.
> For the poly-instantiated views to directories, I am not sure that this is
> thought to its end, yet.
It's been around in various forms for more than 10 years, people have thought
about it a lot.
> The main usage will probably be /tmp but there are
> already solutions for secure temp file creation.
There aren't any other solutions to the problems that are solved by
PI-directories. Read my paper from the above URL and see if you can discover
> Users may get confused why they do not see the same directory contents
> althought the path is the same.
Generally with PI-directories a user doesn't have the opportunity to see
different views of the same directory so this isn't a problem.
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development