Linux security

[Alan McKinnon]

On Saturday 29 April 2006 20:29, Daniel Carrera wrote:
> Alan McKinnon wrote:
> > The hard part with a Linux virus is not writing it, it's
> > *deploying* it.
>
> Okay, why are they harder to deploy? You're just nit-picking on
> terms. The point is trying to figure out if Linux is less
> vulnerable to malware.

We discussed this elsewhere, no need to do it again here :-)

> > A possible solution is to overhaul the OS in such a way that data
> > files can be tagged as writable only by specified apps i.e. only
> > *this* signed copy of OO.o can write to *that* .odt file. I
> > really don't think this is workable, the admin burden and
> > inconvenience will be large.
>
> SELinux to the rescue?

I'm always reluctant to recommend solutions like that, simply because 
of the admin burden that tends to develop. I appreciate the 
technicalities of the solution but I do find in practice that if a 
solution becomes a burden and it can be disabled (or everything 
switched off) then users will do just that. Heck, I even do it myself 
from time to time on my own personal machines.

There's this fine balancing act between security and ease of use. I 
don't have the magic bullet that let's us divine where that balance 
is for case X :-)

-- 
If only you and dead people understand hex, 
how many people understand hex?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five