Thread: OpenBSD The insecurity of OpenBSD
View Single Post
Old 22nd January 2010
allthatiswrong allthatiswrong is offline
New User
 
Join Date: Jan 2010
Posts: 4
Default

Quote:
Originally Posted by jggimi View Post
Personally, I find ACLs, unless carefully designed, nearly always difficult to manage, and due to that difficulty, often poorly managed. (MACs are far more intrusive, by design, and have commensurate complexity and management concerns, but let us stay focused on ACLs.)
An argument against complexity only works for specific implementations.

Your ACL example sounds absolutely horrible, but this is not a problem with the technology itself, or perhaps even that implementation of the technology. Its hard to say without knowing more details...it could have just as easily been poor design and management.

Using SELinux as an example, many people say this is too complex and disable. EVen if this is true, it is an argument against that particular implementation. GRSecurity, AppArmor and RSBAC all are easier to administer, and have saner error messages and policies.

The technology can be implemented in a way that is easy to administer without sacrificing functionality. The problem here is that the OpenBSD team refuses that any increase in security is provided.
Reply With Quote