|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: jails, ipfilter & stunnel
From: Pawel Jakub Dawidek (nick
garage.freebsd.pl)
Date: Tue Jul 15 2003 - 05:59:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Jul 15, 2003 at 12:28:14PM +0200, Uwe Doering wrote:
+> >IMHO security solutions that are "harder to break", aren't security
+> >solutions.
+>
+> Sure, everybody should afford an opinion. However, as you are certainly
+> aware there is no absolute security, no magic bullet. Security is like
+> an onion, with multiple layers. You grab as many layers as you can
+> under the given circumstances and try to make the best of it.
Yes, you're right, but I'm not talking about this.
For example: You want to denied users to see other users processes.
What can you do:
1. chmod a-x /bin/ps.
2. sysctl security.bsd.see_other_uids=0
1st solution isn't to secure:) and I'm talking about this. You're aware
of its "incompletness". It is "harder to break", because someone have
to run top(1) or his own ps(1), but please...
2nd soultion is the right one, because it is complete and it isn't against
lazy "attackers".
Of course there could be bug in implementation, but you aren't aware
of it and we aren't talking about this here. Important thing is that
it is tight. Risk calculation problem is another topic.
--
Pawel Jakub Dawidek paweldawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iQCVAwUBPxPehz/PhmMH/Mf1AQHIiwP/acXsXUKOmy9f8MlsK+9ug6y7irmE01US
D0mwzm6xDbPk9vouPNF5oJBWVDM9KZya/yYdBUMcG0V6t5Tv/3mX45S0g4pJqieO
vJt6u4qe8a2BN5Mr0uI7ZEaNY1NHN16pUcG8uGHanbmcypNkCRW37G4knD3Phwbw
y92VncZVS40=
=CJOh
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]