On Fri, 20 Nov 2009, Matthew Garrett wrote: > Actually, thinking about it, even this isn't sufficient. An attacker > could change the ctrl+alt+F* bindings and use them to pop up a > full-screen window that looks like the console. So you'd also need to > set up securetty to ensure that root can only log in on real consoles. Right. This is why we need trusted path (not just for consoles, but for interaction generally between users and the system). The fundamental requirements for securing our systems were outlined in a paper by NSA researchers - "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments" http://www.nsa.gov/research/_files/publications/inevitability.pdf I strongly recommend that Fedora developers read this. Some of the requirements have been addressed since the paper was published (mostly in the area of adding Mandatory security via SELinux), although the desktop in particular still needs work. There's been some progress, e.g. XACE, which allows us to begin locking down the X itself (a video of the LPC session on this is at http://video.linuxfoundation.org/video/1566). I was hoping to see more desktop and general OS developers at the security track of LPC -- it was mostly security folk talking to other security folk. Certainly, I think we should try and find a way to get more discussion happening amongst different groups next time. FWIW, I discussed the "inevitability" requirements as part of a broader talk on Linux security at KCA in Brisbane earlier this year; video & slides are online: http://namei.org/presentations/linux-kernel-security-kca09.pdf http://www.ustream.tv/recorded/1814752 -- James Morris <jmorris@xxxxxxxxx> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
