Linux security

Michael T. Richter ttmrichter at gmail.com
Sun Apr 30 00:54:46 UTC 2006 

On Sat, 2006-29-04 at 21:29 +0200, Alan McKinnon wrote:

> > Another bolding.  I just downloaded the acl utilities from
> > universe. Where's the "write-append" access?  Even with the acl
> > extensions in place you still can't match the functionality that is
> > in Windows NT-based systems out of the box.



> Why do you want that fine level of control? I've yet to see a valid 
> case where such fine control on a file system is truly indicated.


I have a log file, say, that a cluster of applications writes to as an
audit trail.  I want only those applications to access it.  (SELinux
provides me with that level of control.)  And I want those applications
to be able to write to the end of the log file, but not be able to read
the file nor alter any contents once written.

You can hack a solution around that, but any such solution is just that:
a hack.


> I see what you are getting at - being able to allow/disallow specific 
> actions on file by file basis. But keep in mind that each new 
> combination of facility/control doubles the number of settings, and 
> this very quickly gets out of hand and becomes a maintenance 
> headache. Witness the number of Windows boxen where the user runs as 
> an admin just to get their work done. Yes I know there are ways to 
> avoid this, but how many people really do it? Reading between the 
> lines I suspect you do, but that'll make you one of a very few that I 
> know of to have made that claim.


I find the sudden backpedal amusing.  (Not you, but of the community as
a whole.)  Not that many messages ago it was all braggadocio about how
"Linux offers finer-grained control over security" and now it's suddenly
"why would you want that fine a level of control over security?"

This cuts to the heart of the whole anti-Windows crowd's problem: they
don't actually know the platform they're criticising.  I hear claims
made here on this mailing list alone which are absolutely, stunningly
breathtaking in their sheer ignorance.  Usually from the same people who
shout "FUD!" at the top of their lungs whenever anybody says anything
negative about Linux, ironically enough.

Here's my gentle proposal to people (and not you, I stress Alan -- you
seem to know enough about the Windows platform to have an informed
opinion): learn what you're critiquing so that those of us who actually
do know it can't throw your absolutely staggering ignorance back in your
face with a sardonic laugh.


> Very fine grained control is very useful in a database for example, 
> where the data domain being stored is narrowly defined. But in 
> something as generic as a file system I don't see it being used much 
> outside of very specialized needs. And just because something can be 
> done doesn't mean it should be done.


A file system is essentially a hierarchical database.  ;)

But yes, just because something can be done doesn't mean it should be.
This is why I've used the ultra-fine grained security under Windows NT
about five times in twelve years of working with it.  (Incidentally this
ultra-fine grained security isn't just on files.  Another area where
Windows NT as a platform is way ahead of stock Linux, with or without
fsattr and fsacl utils.  I can put that security on sockets, named
pipes, synchronisation primitives, etc. -- anything with a HANDLE type
attached to it.)  But the advisability of it wasn't my point.  My point
was that total ignoramuses were talking shit about how the UNIX security
model is finer-grained than that available under Windows.


> If you want write-append access, ext2 implements an append-only 
> attribute.


Ooh!  Now that is interesting.  I really do miss write-append.  How do I
go about using it?  (And does Reiser support it since most of my
partitions are reiserfs, not ext3fs?)

--
Michael T. Richter
Email: ttmrichter at gmail.com, mtr1966 at hotpop.com
MSN: ttmrichter at hotmail.com, mtr1966 at hotmail.com; YIM:
michael_richter_1966; AIM: YanJiahua1966; ICQ: 241960658; Jabber:
mtr1966 at jabber.cn

"Sexual organs were created for reproduction between the male element
and the female element -- and everything that deviates from that is not
acceptable from a Buddhist point of view. Between a man and man, a woman
and another woman, in the mouth, the anus, or even using a hand." --The
Dalai Lama
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060430/b3cd54fb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smiley-4.png
Type: image/png
Size: 822 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060430/b3cd54fb/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060430/b3cd54fb/attachment.sig>

More information about the ubuntu-users mailing list