On 02/23/2014 08:09 PM, openda...@hushmail.com wrote: > 1. Why doesn't OpenBSD have something like RBAC?
RBAC has a lot more knobs to tweak, so you can always go back after a security incident and say "aha! I need to tweak *that* knob to prevent this next time!" But it has a steep learning curve, and everything you don't know about how your RBAC is configured is as much a problem as everything you got wrong. Most people use RBAC on Linux by turning it off. OpenBSD permissions are fairly simple, thoroughly considered, and set up with sane defaults. Most people continue to rely on just these basic controls, on OpenBSD *and* on systems with RBAC. > 2. Is chroot really inferior to FreeBSD jails? As best as I can tell, jail basically accomplishes three things: it severely restricts even the root user inside the jail, it lets you restrict some bad things from occurring inside a jail, and it hides processes outside the jail. The first part is interesting from a "virtual root access" standpoint, but adds a lot of code and complexity for that one use case. The second part (e.g., not allowing LKM inside the jail) is really only a good idea if you thought letting people do those things outside the jail is still good... on OpenBSD you can control most of those things globally. The last bit seems pretty uninteresting, unless (again) you are trying for "virtual root access." -- Matthew Weigel hacker unique & idempot . ent
