Domain: uninet.edu
Stories and comments across the archive that link to uninet.edu.
Comments · 4
-
Re:Duh?
Actually, those things aren's as clear cut as you make them sound. Linux used to support at least one Laserjet Printer Mainboard. For an example, see this interiew or the default configuration file for the kernel
-
Re:Feature Suggestion - launch as untrusted
Security is somewhere at 10th or fiteenth
I firmly believe that the current largest flaw in existing security systems is that they are generally too difficult to use -- that they require significant additional effort on the part of the user. Security needs to be *especially* intuitive to help avoid misconfiguration (with security, misconfigurations are often hard to detect and can have catastrophic results), and easy and relatively low-effort to use to encourage people to use them.
From what I understand, SElinux divides the root privileges somewhat. Instead of root being able to do everything, things such as "bind to ports under 1024" "write to any file" are subdivided. By default, you get all (for backwards compatibility) but programs can drop privileges when they need to. In this case, I don't think it would help, the privs are too coarse grained.
I believe that you're thinking of POSIX capabilities, another set of security features in Linux 2.2 and above. This allows giving certain "root-like" capabilities to processes. SELinux is rather more fine-grained. (Also, this brief overview may be useful).
The folks putting SELinux together are the sort of folks that aren't going to overlook rewriting. :-)
NetBSD has the ability to restrict syscalls.
SELinux supports higher-level constructs than just syscall blocking, so you aren't limited to just blocking on a per-syscall level -- see the links I dropped in here.
The trick there is getting the perms permissive enough to allow the install, yet secure enough to stop some of the evil stuff. No curent OS really does this. Maybe some of the stillborn Java OS could, with their security properties, but computers in current use are designed to be very permissive.
Yup.
SELinux is complex enough (most end users don't know what a syscall is) that most people will probably just use a very high-level interface to it. Packagers can set up some policy (for example, having apache run without disk-writing access or something along those lines) and software developers other stuff. It's not quite just like setting up a chroot jail. It's more like mucking about with tc or something.
-
And you're a CS student?!!!I knew this before I did a BSc in CS; what I learned later, was the real stuff - how memory speed affects pipelining; memory has not got significantly faster in the past decade, where CPUs have gone from 30MHz to 3GHz. Therefore even more pipelines are required now, as we sit around, cycle upon cycle, waiting for memory to feed us some data.
In fact, Alan Cox gave a talk on this recently: UMeet2002.
-
kerneljanitor.orgThe kernel janitor project is pretty cool.
Dave Jones and Arnaldo Carvalho de Melo gave a talk on irc about it earlier this month. You can find the transcript at http://umeet.uninet.edu/umeet2001/talk/15-12-2001/ arnaldo-talk.html
Btw. I don't understand why Slashdot puts the extra space in URL... Is that supposed to protect someone from accidentally highlighting the URL and then middle clicking in mozilla and being miraculously transported to the page?