[Bug 578922] Re: mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack

[Michael Brooks]

Hey Jamie,

For the most part I agree with your stance and I am happy to see the summary update.  I also totally agree with this statement:
"Our stance is that if a security feature[SELinux] breaks default and common configurations, users will turn off the feature."

PHP-Nuke will not run on a default Fedora system because of SELinux and
I think that the most common response is for people to disable it all
together.  I agree that a security measure like this should be avoided
at all costs in Ubuntu.  I think that we can both agree that there is a
common ground in terms of security and usability.   I will keep an eye
on this problem and see that it matures properly.

You are correct AppArmor doesn't have a feature to protect the context
in which data is accessed like SELinux,  and it would be nice if it did.
My argument is that AppArmor with its current feature set can be
configured to break my exploit,  but other proven security measures can
also be used to address this issue.  I would like to be involved with
Hardened Ubuntu to help find a good solution to these problems.

Thanks Again,
Michael

-- 
mysql configuration should be adjusted to help prevent against chained attacks against LAMP stack
https://bugs.launchpad.net/bugs/578922
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-dfsg-5.1 in ubuntu.