On Tue, Feb 28, 2017 at 5:07 AM, René J.V. Bertin <[email protected]> wrote:
> On Monday February 27 2017 12:00:26 [email protected] > wrote: > >...or maybe they "just" need "a dozen" years of work. Darwin isn't Linux; > >SIP isn't SElinux: things don't carry over. > > With Apple's resources you'd hope it wouldn't take them a dozen years... > SElinux is just a variant of a known and relatively well understood technology (ruleset-based labeled mandatory access control). Apple took a different and I think rather less well understood path; they may well be blazing new trails in security... which is tricky even with well understood tech. And "well understood", in the context of security, isn't very; for everything known, there's a huge area of shadows and thick fog explored so far only by the black hats (including the likes of NSA), and not very far even by them. > > If you really need to pass through such envvars, just don't use a system > > shell. > > Like installing a shell through MacPorts or similar and setting that as > your login shell? Won't such shells have limited permissions because they > haven't been ratified officially? > Oddly enough, no. You can even copy /bin/sh to a different path and run it and it will lose many of its protections (recent MacPorts trace mode even knows and uses this!). An example of what I said above. Seems an odd way to do things to me, and I'm far from being a security expert. -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
_______________________________________________ Do not post admin requests to the list. They will be ignored. X11-users mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/x11-users/archive%40mail-archive.com This email sent to [email protected]
