On Sun, Sep 12, 2010 at 2:07 AM, JB wrote:
> Joel Rees gmail.com> writes:
>
>> ...
>> I, myself, am partial to a concept I call virtual sub-users, but I
>> have no code for that, don't even have a complete description of the
>> concept. It doesn't run on any available OS, including those that do
Joel Rees gmail.com> writes:
> ...
> I, myself, am partial to a concept I call virtual sub-users, but I
> have no code for that, don't even have a complete description of the
> concept. It doesn't run on any available OS, including those that do
> "sandboxing".
> ...
Could you elaborate somewhat
On Wed, Sep 1, 2010 at 9:35 PM, JB wrote:
> Hi,
>
> SELinux is a bad thing, concept- and design-wise.
SELinux in a Linux OS is not a general consumer grade solution. I'm
not sure it will ever be.
However, Fedora is not a general consumer grade OS, at least not for
most consumers without an in-ho
Tim wrote:
> Tim, remembering the days of writing everything for hardware with no OS,
> just basic firmware... And typing in other people's software from a
> book, instead of simply getting some file... And compiling software
> completely manually (looking up OP codes from the microprocessor book
On Sat, Sep 04, 2010 at 12:04:41PM +, JB wrote:
> - a new Linux micro kernel
> It will address a different architecture of kernel, system, and user spaces.
> There is a lot of know-how, theoretical and empirical research, and
> experience in this area available.
> The Linux community (
JB gmail.com> writes:
> ...
Hi,
SELinux has been the catalyst for this discussion, which touched on a broader
issue of Linux kernel in the context of UNIX philosophy.
Let me continue my thoughts, elaborate more, and quickly cut to the chase.
There is a need for two kernels under GNU and UNIX/
On Sat, 2010-09-04 at 00:40 +0930, Tim wrote:
> No. I'm talking about giving someone a file, not access to your space.
One reason that "chown" is only allowed to the root user is that users
have used this to get around disk quotas. Chown the file to someone else
and it doesn't count against your
On Thu, 2010-09-02 at 19:03 +0200, Zoltan Boszormenyi wrote:
> You don't want to open your home directory for
> the whole world, do you?
No. I'm talking about giving someone a file, not access to your space.
"Here's this file, have it, it's yours. You get to own it and keep it."
As far as I can
Tim írta:
> Tim:
>
>>> You've never downloaded a file as one user, that another user wanted,
>>> or another of your own logins needed, and then had to move it from
>>> one to the other?
>>>
>
> Zoltan Boszormenyi:
>
>> For that, I always create a /home/common directory with
>> sgid bit
Michael Hennebry wrote:
>
>On Thu, 2 Sep 2010, James Mckenzie wrote:
>
>> However, this portion of the thread is the first case where I could actually
>> state that this could be a MAJOR security hazard. Let's expand this:
>>
>> 1. An account with a weak password gets compromised.
>> 2. This a
On Thu, 2 Sep 2010, James Mckenzie wrote:
> However, this portion of the thread is the first case where I could actually
> state that this could be a MAJOR security hazard. Let's expand this:
>
> 1. An account with a weak password gets compromised.
> 2. This account has a file added (either FT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/02/2010 09:25 AM, Bruno Wolff III wrote:
> On Thu, Sep 02, 2010 at 08:30:29 -0400,
> John Mellor wrote:
>>
>> I agree with you about the extreme cost of the relabel problem, but that
>> may be due to a lack of knowledge on my part. Relabeling
Ed Greshko wrote:
>Sent: Sep 2, 2010 6:58 AM
>To: Community support for Fedora users
>Subject: Re: SELinux - a call for end-of-life.
>
> On 09/02/2010 08:41 PM, Tim wrote:
>> Ed Greshko:
>>>>> Are you saying that you think it is a good idea to be allowed to
On 09/02/2010 08:41 PM, Tim wrote:
> Ed Greshko:
Are you saying that you think it is a good idea to be allowed to chown
of a file under your UID to another's UID as a normal user?
> Tim:
>>> You've never downloaded a file as one user, that another user wanted, or
>>> another of your own
On 09/02/2010 12:21 PM, JB wrote:
> - its philosophy
> A kernel that was surrounded by flexibility in its system and user space
> (modular, single purpose, stand-alone utilities, easy to assemble and
> disassemble for a work to be done; a fruitful model for a broader,
> self-sustained, and
On 09/02/2010 01:46 PM, Tim wrote:
> Again, it's more or less what I said, earlier. To *give* someone a
> file, your only options are to let them read the file, and then they
> copy it. If you want them to *own* the file, instead of you.
>
And that's how it's supposed to work. Only root (or rat
On Thu, Sep 02, 2010 at 08:30:29 -0400,
John Mellor wrote:
>
> I agree with you about the extreme cost of the relabel problem, but that
> may be due to a lack of knowledge on my part. Relabeling the very small
> subset of space that is used for system and some of the more common
> applications
On Thu, Sep 02, 2010 at 22:13:29 +0930,
Tim wrote:
>
> Yes, that's the same sort of thing as I've done, before. But you're
> still left with copying files about, to *give* someone a file.
Accept that sometimes people don't want someone to give them a file, so
you need a protocol where both pa
On Thu, 2010-09-02 at 11:11 +0100, Bryn M. Reeves wrote:
> Look into groups some time - they're a whole world of fun (and there to
> solve the kind of problems you're discussing).
Yes, I've done that before, too.
> There are even mechanisms to allow you to create directories that can be
> written
Tim:
>> You've never downloaded a file as one user, that another user wanted,
>> or another of your own logins needed, and then had to move it from
>> one to the other?
Zoltan Boszormenyi:
> For that, I always create a /home/common directory with
> sgid bit set on it and the directory chgrp's to "
Ed Greshko:
>>> Are you saying that you think it is a good idea to be allowed to chown
>>> of a file under your UID to another's UID as a normal user?
Tim:
>> You've never downloaded a file as one user, that another user wanted, or
>> another of your own logins needed, and then had to move it from
On Thu, 2010-09-02 at 11:21 +, JB wrote:
> Marko Vojinovic gmail.com> writes:
>
> > ...
> > > > > - it should be self-contained, installable and removable at any time,
> > > > > without influencing the system
> > > >
> > > > No serious security system can run entirely in userspace, they are
Tim írta:
> On Thu, 2010-09-02 at 12:52 +0800, Ed Greshko wrote:
>
>> Are you saying that you think it is a good idea to be allowed to chown
>> of a file under your UID to another's UID as a normal user?
>>
>
> You've never downloaded a file as one user, that another user wanted, or
> anoth
Marko Vojinovic gmail.com> writes:
> ...
> > > > - it should be self-contained, installable and removable at any time,
> > > > without influencing the system
> > >
> > > No serious security system can run entirely in userspace, they are all
> > > implemented in the kernel. Standard UNIX permiss
On 09/02/2010 05:39 AM, Tim wrote:
> On Thu, 2010-09-02 at 04:24 +0100, Marko Vojinovic wrote:
>> Try to change the ownership of a file as an ordinary user (to "disown"
>> your own file), for example. The chown simply won't allow you to do
>> it, it is a serious security hole.
>
> That's something
On 09/02/2010 06:05 PM, Tim wrote:
> On Thu, 2010-09-02 at 12:52 +0800, Ed Greshko wrote:
>> Are you saying that you think it is a good idea to be allowed to chown
>> of a file under your UID to another's UID as a normal user?
> You've never downloaded a file as one user, that another user wanted,
On Thu, 2010-09-02 at 12:52 +0800, Ed Greshko wrote:
> Are you saying that you think it is a good idea to be allowed to chown
> of a file under your UID to another's UID as a normal user?
You've never downloaded a file as one user, that another user wanted, or
another of your own logins needed, an
When did Ubunters come into Fedora? ;)
SELinux rules!
It's hard to be free... but I love to struggle. Love isn't asked for;
it's just given. Respect isn't asked for; it's earned!
Renich Bon Ciric
http://www.woralelandia.com/
http://www.introbella.com/
--
users mailing list
users@lists.fedorapro
On 09/02/2010 12:39 PM, Tim wrote:
> On Thu, 2010-09-02 at 04:24 +0100, Marko Vojinovic wrote:
>> Try to change the ownership of a file as an ordinary user (to "disown"
>> your own file), for example. The chown simply won't allow you to do
>> it, it is a serious security hole.
> That's something t
On Thu, 2010-09-02 at 04:24 +0100, Marko Vojinovic wrote:
> Try to change the ownership of a file as an ordinary user (to "disown"
> your own file), for example. The chown simply won't allow you to do
> it, it is a serious security hole.
That's something that I've wanted to do, from time to time,
On Wed, 2010-09-01 at 08:17 -0700, JD wrote:
> Whew!! Finally someone said it for me! :)
> Thank you JB.
>
> On 09/01/2010 05:35 AM, JB wrote:
> > Hi,
> >
> > SELinux is a bad thing, concept- and design-wise.
Are JB and JD the same person?
--
[...@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.
On Wed, 2010-09-01 at 15:44 +0100, Alan Cox wrote:
> Also there's not a lot of value in "you have been owned, your data is
> toast, your hard disk is erased"
I've seen that with anti-virus software. It'll warn you that it
detected a virus. But did it stop it? No, the virus did its job.
I reall
On Wednesday, September 01, 2010 20:54:47 JB wrote:
> Thanks. It was my intention to induce a reaction to my post.
> Your opinion is appreciated, regardless of whether friendly or not :-)
My opinion is always intended to be friendly, otherwise I would keep it to
myself. :-)
> > > - it should be
On Wednesday, 01 September, 2010 17:29 zulu, JB scribed:
> Please feel free to add some thoughts to my modest idea of the future
> concept of security. Do not assume that it has to be something big or
> revolutionary - we have seen that small and evolutionary things can
> make a difference too. JB
Marko Vojinovic gmail.com> writes:
>
> On Wednesday, September 01, 2010 18:29:13 JB wrote:
> > Please feel free to add some thoughts to my modest idea of the future
> > concept of security.
>
> Since you are apparently serious about this, let me try to help a little
> (remember, you asked for
On Wednesday, September 01, 2010 18:29:13 JB wrote:
> Please feel free to add some thoughts to my modest idea of the future
> concept of security.
Since you are apparently serious about this, let me try to help a little
(remember, you asked for it! :-) ...):
> This is my idea of the new security
Gordon Messmer eburg.com> writes:
>
> On 09/01/2010 05:35 AM, JB wrote:
> > This idea is so sick - any real sys admin wants to know her machine inside
> out,
>
> There are more than two thousand items in my $PATH. Yours is probably
> similar. Do you understand what every one of them do? Are
On Wednesday, September 01, 2010 17:05:42 Tom Horsley wrote:
> On Wed, 01 Sep 2010 23:50:16 +0800
> Ed Greshko wrote:
> > Maybe all the folks that deem SELinux unnecessary, too complex, or
> > whatever would be interested in switching to OpenSUSE and their AppArmor
> > method?
>
> Nah, AppArmor i
On Wednesday, September 01, 2010 17:02:34 Michael Semcheski wrote:
> On Wed, Sep 1, 2010 at 10:48 AM, Marko Vojinovic wrote:
> > It's just that some people are too lazy to read and understand two or
> > three man pages.
>
> Which two or three man pages cover everything selinux related?
The only
On Wed, 01 Sep 2010 23:50:16 +0800
Ed Greshko wrote:
> Maybe all the folks that deem SELinux unnecessary, too complex, or
> whatever would be interested in switching to OpenSUSE and their AppArmor
> method?
Nah, AppArmor is even more useless. Fortunately the one thing it has
in common with selin
On Wed, Sep 1, 2010 at 10:48 AM, Marko Vojinovic wrote:
> It's just that some people are too lazy to read and understand two or three
> man pages.
Which two or three man pages cover everything selinux related?
I like SELinux, but its got its rough edges for example:
"/bin/bash is using a leaked
On Wednesday, September 01, 2010 16:04:55 JB wrote:
> I think the more profound question has to be asked - does it serve the
> Linux community (professional and amateur) ?
Well, it certainly did serve me, when one of my user's account got compromised
--- SELinux was the one stopping the intruder
On Wed, 1 Sep 2010 12:35:14 + (UTC)
JB wrote:
...snip...
> This is my idea of the new security concept:
> - it should be real-time (operating in a background)
> - it should be modular in the sense of traditional small, single
> function, and stand-alone UNIX utilities
> - it has to be simple
On 09/01/2010 05:35 AM, JB wrote:
> This idea is so sick - any real sys admin wants to know her machine inside
> out,
There are more than two thousand items in my $PATH. Yours is probably
similar. Do you understand what every one of them do? Are you
experienced with development in C and asse
Maybe all the folks that deem SELinux unnecessary, too complex, or
whatever would be interested in switching to OpenSUSE and their AppArmor
method?
signature.asc
Description: OpenPGP digital signature
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription opt
Whew!! Finally someone said it for me! :)
Thank you JB.
On 09/01/2010 05:35 AM, JB wrote:
> Hi,
>
> SELinux is a bad thing, concept- and design-wise.
> It should be stopped now - it is a waste of resources, a blind alley.
> The Linux community should stop receiving "gifts" (trojan horses) of th
Marko Vojinovic gmail.com> writes:
>
> On Wednesday, September 01, 2010 13:35:14 JB wrote:
> > SELinux is a bad thing, concept- and design-wise.
> [snip]
>
> Are you trying to be funny? I seem to have missed a smiley or SCNR or such...
>
> There are already two long philosophical threads about
On Wednesday, September 01, 2010 14:31:55 Bruno Wolff III wrote:
> On Wed, Sep 01, 2010 at 12:35:14 +,
> JB wrote:
> > - it has to be simple to be acceptable and understandable by all sys
> > admins and
>
> Selinux is fundamentally simple. When a process acts on an object, the
> label of th
Bryn M. Reeves redhat.com> writes:
> ...
> http://en.wikipedia.org/wiki/Kexec
> http://en.wikipedia.org/wiki/Ksplice
>
> Regards,
> Bryn.
Hi,
yes, thanks for the clarification.
JB
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin
On Wednesday, September 01, 2010 13:35:14 JB wrote:
> SELinux is a bad thing, concept- and design-wise.
[snip]
Are you trying to be funny? I seem to have missed a smiley or SCNR or such...
There are already two long philosophical threads about SELinux still active,
surely you are not serious abo
On 09/01/2010 01:35 PM, JB wrote:
> - due to kernel update (this is almost done with e.g. kexec in Linux)
That's just a faster way of rebooting (bypasses the platform firmware
initialisation).
Are you confusing kexec and ksplice?
http://en.wikipedia.org/wiki/Kexec
http://en.wikipedia.org/wiki/Ks
> The top brass of Linux community has by now a life-time experience of "what
> works and what does not" and should be capable of initiating and rethinking
Actually we don't. We have some experience but system wide security is a
hard problem. People like the NSA have beens studying it since the 19
On Wed, Sep 01, 2010 at 12:35:14 +,
JB wrote:
>
> The "Relabel on next reboot" is a major design flaw.
> "Select if you wish to relabel then entire file system on next
> reboot. Relabeling can take a very long time, depending
> on the size of the system. If you are changing policy typ
Hi,
SELinux is a bad thing, concept- and design-wise.
It should be stopped now - it is a waste of resources, a blind alley.
The Linux community should stop receiving "gifts" (trojan horses) of that
nature.
There is no point of maintaining a SELinux-like monster that is on purpose so
complicated t
54 matches
Mail list logo
