privilege separation ?

[barti]

Hi again,


I want to ask about privilege separation, it is from this link.

http://allthatiswrong.wordpress.com/...ty-of-openbsd/


--------



> Since the majority of attacks are not against the base system but against software operating at a higher level actively
> listening over the network, it is likely that if an OpenBSD machine were attacked, it would be through such software.
> This is where OpenBSD falls down, as it provides no means to protect from damage in the event of a successful attack.


What BS! You don’t seem to be aware that OpenBSD lead the charge years ago for “priv sep”, and to this day installs
every single ‘ports/packages’ daemon with a distinct, non-privileged userid – a good idea which not only proves that your
statement above is based on ignorance, but provides “secure by default” a strong measure of what the formal approaches claim to offer
but make complex to implement. And it’s also been copied into leading Linux distributions, e.g., Android does exactly the
same thing for every app you install.

--------

Many people indeed dismiss openbsd because of this idea, openbsd wont save you from sql attacks or bad php code.


I don't get it, is that true? does "privilege separation" really is a saver or not?

a real advantage even against sql attacks or php code problems ?

If not, then openbsd is useless as a web server .



Thanks .