Am 12.01.2018 um 00:40 schrieb Ken Dreyer: > On Wed, Jan 10, 2018 at 9:18 AM, Amon Ott <a.ott@xxxxxxxxxxxx> wrote: >> We would really appreciate having the init scripts around for a long >> while, as we are not willing to use systemd on our servers for security >> reasons. Please do not drop them. > > I'm curious, what init system are you using? Still sysvinit. I just do not like the idea of one complex user space daemon like systemd controlling most of the system, whose complexity makes severe security problems likely. So we stick with separate small programs and mandatorily assign individual and limited access control rights to them with RSBAC. Think of the regular nightmare with anti malware software deep in the system, which repeatedly opened up the whole system remotely in the past, and you get the idea. We do not trust malware scanners and strictly limit their abilities to a simple "read a file and decide, we do the rest as we please". IMO, access control must be done in the kernel and security needs small components in user space with limited functionality, following the good old KISS principle. Then you have full control and can limit the consequences of misbehaving programs. Amon Ott -- Dr. Amon Ott m-privacy GmbH Tel: +49 30 24342334 Werner-Voß-Damm 62 Fax: +49 30 99296856 12101 Berlin http://www.m-privacy.de Amtsgericht Charlottenburg, HRB 84946 Geschäftsführer: Dipl.-Kfm. Holger Maczkowsky, Roman Maczkowsky GnuPG-Key-ID: 0x2DD3A649 -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
