Re: SELinux - way of the future or good idea but !!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tuesday, November 30, 2010 02:35 AM, Les Mikesell wrote:
> On 11/29/2010 10:40 AM, Lamar Owen wrote:
>> On Sunday, November 28, 2010 05:40:41 pm brett mm wrote:
>>> In reality, I am not at all sure that a quantum leap in complexity
>>> adds to security at all. Any proper use of old-school group
>>> permissions can give as finely-grained a security policy as you would
>>> like.
>>
>> No, it won't.
>>
>> Suppose I'm running CentOS on a workstation, and have a need to access a corporate webapp written in Flash, read corporate documents in PDF, and use other applications written in Java.  So I'm going to be living in my browser for most things corporate.
>>
>> How can I prevent a compromised PDF from gaining an attacker access to my entire home directory?  More to the point, how to I prevent that PDF from gaining WRITE access to files in my home directory (say, .bashrc for instance)?
>
> If you don't trust your software, run it under a uid that doesn't have
> write access to anything important - or in a VM or a different machine
> for that matter.  X has no problem displaying programs running with
> different uids or locations.
>

Hurrah! That's it! Just move the problem elsewhere. Oh, you snipped out 
a bit too much. Write access is not just the problem. Being able to 
upload and execute is also a problem. Can you say 'bot'?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux