Thread: OpenBSD The insecurity of OpenBSD
View Single Post
Old 22nd January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,455

2. You can' seriously be suggesting running a DFS locally as a substitution for a MAC implementation because it has an ACL?
My point was that an ACL is available, while your blog said one was not. But I am seriously suggesting running AFS for an organization that needs an ACL, if AFS itself adds value.

Personally, I find ACLs, unless carefully designed, nearly always difficult to manage, and due to that difficulty, often poorly managed. (MACs are far more intrusive, by design, and have commensurate complexity and management concerns, but let us stay focused on ACLs.)

Here is a real world example regarding ACLs:
One of my tasks for a large, commercial customer is to find a way to eliminate, dismantle, or circumvent the ACL structure that was intended to govern access to major document repository, but has only gotten in the way of the repository's functionality. The ACL was implemented at senior management's request, and is now to be either eliminated, dismantled, or circumvented -- at senior management's request. It impacts 2400 users across two continents. The impact of the current ACL is so intrusive into business operations that senior management is willing to expend capital to duplicate the entire infrastructure, minus the ACLs, if that is what is required.
Would I use OpenBSD if I needed an ACL? Perhaps, but only if AFS provided additional advantages, which it might. But I am a strong proponent of the right platform for the right reasons, driven downward by a business or organization: goals & objectives -> requirements -> application -> architecture -> infrastructure -> platform. And, when the infrastructure includes a network, I look to see if OpenBSD can add value to it. It may not be the appropriate application platform, but it might be useful in an adjunct capacity.
Reply With Quote