Thread: OpenBSD The insecurity of OpenBSD
View Single Post
Old 22nd January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,510

Originally Posted by allthatiswrong View Post
I think you may have missed the point of my article, and also grossly oversimplified, and thus dismissed my argument.
I don't believe I missed your point, which was that ACL/MAC are the overarching panacea for mitigating the damage of an intrusion. I happen to disagree with that assessment.
I'm happy to discuss that argument, but so far all I have seen are dismissals, not rebuttals.
I would normally be delighted, but:
  • Many people have been rebutting your arguments, both on misc@ and on your wordpress blog.
  • I don't wish to repeat their arguments, nor do I think I would be able to add much significantly new or unique in any line-by-line argument.
  • See below for an argument which I'm not sure has been mentioned, yet.
So when you need to run software that has not been audited, and someone breaks in and their is no sufficient way to limit what they can do, this is fine?
There are many different kinds of intrusions that ACL and MAC will not mitigate. Root level intrusions come to mind, as do DBMS intrusions such as SQL injection.

Should I need an ACL for some reason on an OpenBSD platform, there is one: AFS, which has a multi-layer ACL. OpenBSD has the Arla AFS client built in to the base system, and the OpenAFS server available in the ports tree, with authentication for both managed via the built in Heimdal Kerberos service. An ACL can be useful for policy governance.

Last edited by jggimi; 22nd January 2010 at 06:48 PM.
Reply With Quote