> 1) Newbie will ask "why I can't removed file X? I do all that they say > in the *Linux is Great - 101 Book* (hoping not to enfrange any > copyright here).
Probaby not just newbies. :-) > 2) If, as a SysAdmin, I decided to put some file immutable, I > certainly don't want a program like dpkg (whom task is package > maintenance, not security administration) make it obseleted because > it, it changed it. Even, maybe I set it immutable because I don't want > dpkg to changed it! This is an annoyingly good point. One possibility is the use of other bits in the ext2 extended attributes in the package maintenance program; another is the introduction of a second immutable bit specifically for package tools. > Briefly, most people don't need it or will misused it (see the pgp > manual about false security impression) The fact that locks *can* be picked isn't an argument to never use one. As most cops will readily admit, you often only need a lock just good enough to convince the bad guys to move on down the street. Setting critical system files immutable won't stop a dedicated attacker, but it should (from what I understand) be enough to stop a casual attack from someone without root access. > and people who really need it, > don't need dpkg to bother with them. I think that point is debatable. I'm not ignorant about security issues, but there are so many variables today that it's virtually impossible for someone to keep track of them all. On the other hand, it's not unreasonable for part of the final release process to be a fairly through security check and any problems either fixed or documented. Bear Giles [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
