Alle 13:55, sabato 6 marzo 2004, Lamar Owen ha scritto: > On Friday 05 March 2004 03:34 pm, scott.marlowe wrote: > > Sorry, but that's the wrong answer. Once someone has root on a unix box > > her can do ANYTHING he wants. and he can cover his tracks. > > This is what things like the capabilities system and SELinux are designed > to prevent in the Linux world. As Fedora Core 2 will ship with SELinux > installed and enabled, it will become much more difficult for someone to > randomly get root and do damage. It is quite simple with SELinux to > prevent any of the attacks you mentioned. Root is no longer root. Things > on an SELinux system, or a system fully implementing the kernel > capabilities model, can indeed be locked away from root, at least in > network attached multiuser mode. This does, of course, make maintenance of > the data more difficult; one must be at the console in a special mode to do > full maintenance. But someone remotely cracking root no longer is the > threat they once were, when some system like SELinux is in use.
A better, more structured architecture of permissions on Unix is a long-standing need. It looks like SELinux is offering a new and interesting approach to this problem. Regarding this topic I have a dream: the hyerarchical permission architecture of OS/400 (and many other IBM OSs for mainframe) ported to Linux. Just imagine this: you have a omnipotent "root" who can access the machine from the console only, a whole set of powerful, configurable administrators who can act from the net, each of them devoted to administer a specific part of the OS or of the File System, and finally a crowd of simple users, with configurable permissions. Nobody would have more power of what it actually need for his job, not even the root. Would not it be a better (safer and more manageable) world to live on? ----------------------------------------- Alessandro Bottoni and Silvana Di Martino [EMAIL PROTECTED] [EMAIL PROTECTED] ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html