Am Montag, 5. Januar 2015 schrieb Martijn Dekkers: > On 5 January 2015 at 07:47, Enrico Weigelt, metux IT consult < > enrico.weig...@gr13.net> wrote: > > > On 05.01.2015 00:40, Jude Nelson wrote: > > > > >> In VAX/VMS there was a feature that could in theory be useful, > > >> though I've never seen it actually used. Fila permissions could > > >> forbid the root user from reading the file. This might be useful > > >> for dire secrets. Even the sysadmin couldn't back up that file. > > > > > > I think for some applications (like dealing with medical records), this > > > is a legal requirement. > > > > No, certainly not (I'm currently working in than area) - that's just > > misinterpretation. Instead you'll need clear access control rules, > > mich might have to prevent _operators_ from accessing certain data. > > In that case, operators wont have root access. > > > > That answer is just plain wrong. There are several areas where there are > significant legal requirements around disallowing the concept of a root / > UID 0 user to have overriding access. Please be advised that SELinux was > built by the NSA *specifically* to be able to meet these legal > requirements. Think Government, Finance, Defense, Intelligence, Law > Enforcement, Medical. Yes, this is first-hand, practical knowledge. Stating > that there is no legal requirement anywhere for restricting access to > information only to a certain group of users is .... funny ....
Oh, wasn't the NSA the "inventor" of e.g. the compromised elliptic curve in the NIST standard? I would not give a cent on anything that has a NSA label on it. Be aware that the "legal" concept of the US/UK is confined to that countries and luckily not adressable worldwide. There's a saying: "For every security problem there is a juridical solution". Take a look at De-Mail to see how that turns out in practice. Nik -- Please do not email me anything that you are not comfortable also sharing with the NSA. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng