Comment Re:LOL - You actually asked slashdot what OS to us (Score 1) 434
OSX 10.6 will be replaced and DISCON, will be actively unsupported by Apple.
How can anything be `actively unsupported'?
OSX 10.6 will be replaced and DISCON, will be actively unsupported by Apple.
How can anything be `actively unsupported'?
ERRATA NOTICE
Good morning,
Your shill welcome pack contained a misprint on page 49, section 3, the term 'C+' should be 'C++'.
Best regards,
Apple
The mailserver is just an example. There is plenty of insecure software running as root.
FTFY
MAC cannot prevent the exploit as such, but it can make the attacker completely limitless. You can take away execute permission, write permission (allowing just append), no file creation, absolutely nothing except the very minimal that the program actually needs.
This sounds a lot like what securelevel(7) already does.
There is absolutely no reason to have a user with absolute power when we have the technology to segregate power and duties, there by significantly reducing the attack surface.
There is absolutely no reason to put up walls so the sysadmin can't do anything, rather than fix the bugs that let an attacker gain root in the first place.
OpenBSD doesn't want to take over the world, see the project goals. This doesn't stop their work becoming used on a large scale, but this happens because of the software's features and technical superiority.
On the other hand, many Linux advocates seem to be obsessed with the idea of world domination. I've seen these people choose Ubuntu for reinstall/upgrade jobs when their friends and family would genuinely be more comfortable, and better off, with Windows or OS X.
Decide for yourself which is the more noble goal.
The fact that the OS code is audited is nice, but can't protect against other insecure software. If you run postfix which isn't audited, and it has a hole and the attacker gets root, then there is nothing to stop them.
Maybe I'm wrong, but if the mail server isn't crap it should give up root privileges as soon as possible. So, to get root you need to do two things.
1) Exploit a bug in the mail server
2) Exploit a bug in the operating system to gain root privileges
If MAC is part of the operating system, and can therefore contain operating system bugs, how does it mitigate step 2? How does it mitigate it any more than an operating system without MAC?
An example from a commenter on the blog is that he needed to prevent root from reading users files. OpenBSD is almost the only OS left that can't meet this requirement.
Are you serious? The root user has ultimate power by definition. That's been the case with *NIX for decades.
It's entirely possible that a piece of hardware you buy contains portions of *BSD code.
So maybe at some point you will use it, if you don't already, just not how you'd expect.
I'm surprised you have time to investigate other operating systems if you're thinking in MMORPG analogies.
The archaic UNIX security model is exactly that, archaic. There are needs it cannot meet, and something like MAC is needed.
When operating system code is security audited, what needs can the *NIX security model not meet?
No, Ubuntu isn't unusable because of omitting features. It's unusable because what they start with is unusable, and they have nowhere to go from there.
Much like security. You can't bolt on features after the fact and suddenly have a secure product.
That MAC is anything but bloated a waste of time.
The notion that adding security as an afterthought is a good idea.
Maybe if the article had any real merit, instead of making stupid statements that aren't true.
It's a shame the author's love affair with MAC can't help him write a decent article.
I wonder how many installations of Linux have SELinux disabled because it broke something.
...hostile user community and theocratic leader...
I've observed the OpenBSD attitude as being anything but religious in most cases, at least compared to FSF/GNU folk, and far closer to the laudable `shut up and hack'. The community may appear hostile, but successful users need to have initiative rather than being spoon fed. `RTFM', or a milder equivalent, is often the best way to encourage that.
That article has been posted several times on *BSD mailing lists and is hardly relevant to the release of a new version.
I wonder if an article criticizing the security of Slashdot's darling OS, Linux, would receive such positive moderation on a release story.
And it should be the law: If you use the word `paradigm' without knowing what the dictionary says it means, you go to jail. No exceptions. -- David Jones