Thread: OpenBSD The insecurity of OpenBSD
View Single Post
  #9   (View Single Post)  
Old 22nd January 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
Join Date: Apr 2008
Location: New Zealand
Posts: 2,201

Hello and welcome.

From your article:
The OpenBSD approach to security is primarily focused on writing quality code, with the aim being to eliminate vulnerabilities in source code. To this end, the OpenBSD team has been quite successful, with the base system having had very few vulnerabilities in "a heck of a long time". While this approach is commendable, it is fundamentally flawed when compared to the approach taken by various extended access control frameworks.
These options are not mutually exclusive. A large number of security issues are due to "stupid mistakes" such as not checking return codes and the like. Writing quality code is not just the OpenBSD approach for a secure system, but it is necessary for a secure system.

Whether or not ACL's, MAC labels, and whatnot are good security features is a entirely different discussion. If you are going to implement such feature, then they must be writing with quality code or else there will be security holes.

In any case, ACL's are not a magic bullet for a secure system, point in case being the MS Windows Nt/2000/XP/Vista/7 systems, which all have ACLs are are not exactly widely known for their security
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote