Date: Tue, 15 Jul 2003 12:59:19 +0200 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Uwe Doering <gemini@geminix.org> Cc: "V. Jones" <vjones62@earthlink.net> Subject: Re: jails, ipfilter & stunnel Message-ID: <20030715105919.GM4973@garage.freebsd.pl> In-Reply-To: <3F13D73E.1020506@geminix.org> References: <8213881.1058211676830.JavaMail.nobody@beaker.psp.pas.earthlink.net> <20030714211518.GD4973@garage.freebsd.pl> <3F13A975.7020508@geminix.org> <20030715091211.GK4973@garage.freebsd.pl> <3F13D73E.1020506@geminix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Tue, Jul 15, 2003 at 12:28:14PM +0200, Uwe Doering wrote: +> >IMHO security solutions that are "harder to break", aren't security +> >solutions. +> +> Sure, everybody should afford an opinion. However, as you are certainly +> aware there is no absolute security, no magic bullet. Security is like +> an onion, with multiple layers. You grab as many layers as you can +> under the given circumstances and try to make the best of it. Yes, you're right, but I'm not talking about this. For example: You want to denied users to see other users processes. What can you do: 1. chmod a-x /bin/ps. 2. sysctl security.bsd.see_other_uids=0 1st solution isn't to secure:) and I'm talking about this. You're aware of its "incompletness". It is "harder to break", because someone have to run top(1) or his own ps(1), but please... 2nd soultion is the right one, because it is complete and it isn't against lazy "attackers". Of course there could be bug in implementation, but you aren't aware of it and we aren't talking about this here. Important thing is that it is tight. Risk calculation problem is another topic. -- Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPxPehz/PhmMH/Mf1AQHIiwP/acXsXUKOmy9f8MlsK+9ug6y7irmE01US D0mwzm6xDbPk9vouPNF5oJBWVDM9KZya/yYdBUMcG0V6t5Tv/3mX45S0g4pJqieO vJt6u4qe8a2BN5Mr0uI7ZEaNY1NHN16pUcG8uGHanbmcypNkCRW37G4knD3Phwbw y92VncZVS40= =CJOh -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030715105919.GM4973>