Re: is KERNEL developement finished, yet ??? (ACLs)

From: Jakob Oestergaard (jakob@unthought.net)
Date: Fri Dec 06 2002 - 05:38:17 EST


On Thu, Dec 05, 2002 at 12:09:25PM -0800, Tupshin Harper wrote:
...
> >Yeah, and look how much more secure it is than UNIX.
> >
> > Linus
> An unfortunately inflamatory argument that avoids the real issue. I'm
> not going to argue the security of NT (heaven forbid), but you do
> completely ignore the benefits of ACLs, including things that
> capabilities don't provide.
[snip - big argument, ACLs, seen 100 times on lkml before]

DAC (ACLs) add flexibility to security configurations, no argument
there. Flexibility != security.

DAC without MAC is insane.

Read "The Inevitability of Failure":
   http://www.nsa.gov/selinux/inevit-abs.html

Yes, the current owner/group/other system is DAC too. Adding more
"flexible" (read: disaster-prone) features before MAC (eg. SELinux) is a
standard part of the kernel, is ludicrous.

And no, NT doesn't have MAC. Nor are they likely to get it. Guess why
any local user absolutely 0wnZ an NT box...

If you want to argue with me on these statements, please take it off
list.

-- 
................................................................
:   jakob@unthought.net   : And I see the elder races,         :
:.........................: putrid forms of man                :
:   Jakob Østergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Dec 07 2002 - 22:00:26 EST