On Mon, 27.10.08 15:29, Stephen John Smoogen (smooge@xxxxxxxxx) wrote: > > Having desktop firewalls is security theatre. Having 20 levels of > > false and inappropriate security is worse then having a single level > > of security that is appropriate for the task. > > My guess is that having priv-sep, passwords, etc are all security > theatre for the desktop user in this case. I mean if application X > can't work without me being root then why not be root? If having a > password slows me down from getting stuff done, why not remove it. For > this level.. why are we doing anything beyond Windows 98 which seems > to be the perfect desktop platform. You are making stupid generalizations here, and you know that. Please don't talk to to me like I was a complete moron or something. In Avahi for example (which I wrote) I went into great lengths to run the code in an environment that is as confined as possible. We use stuff like chroot(), capabilities, we run as seperate user with minimal resource limits and stuff like that, so that even without SELinux an exploited Avahi does not allow attackers to exploit the entire system. In fact, on my F10 system here that runs a lot of stuff in addition to the standard install, Avahi is still the *only* process which does all that security stuff. No other daemon employs chroot() or anything similar. So please, don't tell me I had no clue about how to secure daemons on Linux. Oh, I am not sure if you every wrote anything like that. I'd be very interested to listen to you then. Use the appropriate tools for locking things down. Don't add protection that is bogus because it will be overriden by the user anyway. I am very sure that exactly 0% of all users deactivate all the security techniques that Avahi uses -- because they have no reason to. Because it doesn't limit the use of AVahi in any way -- it doesn't go against what users want to do. Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net ICQ# 11060553 http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
