On Dec 5, 2007, at 9:57 AM, Martin Marcher wrote:
But since *nix has a history of being secure because a user/process can't by default destroy any data besides the data one/it owns. Why not take that one further and require explicit permission to even run a program that can potentially destroy data? * Why not take that one further and require explicit permission to run _any_ program? Revoking "others" access by default does just that. I think my point wasn't clear.
I suppose because if you remove permissions on anything that can potentially destroy data, you quickly end up with a system that isn't usable. If you're getting paranoid enough to restrict wget and tar, you'd be better served by not letting the user have access to a shell at all. I mean, you can still clobber a file you have write permission to by doing "echo 'Whatever' >file". In most shells this requires no execute permissions on anything, since 'echo' is a built- in command.