RE: RSBAC suggestions / Problems

From: "Kaladis" <kaladis@gmx.de>
Subject: RE: RSBAC suggestions / Problems
Date: Wed, 11 Jul 2001 20:10:22 +0200

Next Article (by Date): RE: Planning v1.2.0 "Kaladis"
Previous Article (by Date): Re: RSBAC suggestions / Problems Arkady A Drovosekov
Top of Thread: RSBAC suggestions / Problems "Kaladis"
Next in Thread: RE: RSBAC suggestions / Problems Amon Ott
Articles sorted by: [Date] [Author] [Subject]

> You and all others: Do you think, there should be a global RSBAC config
switch
> 'Disable Linux filesystem access control', which disables all Linux
filesystem
> access control in vfs_permission()?

I'm not very fond of the idea to disable that globally. Instead of having it
globally I would have it inheritant to a chosen directory or so. Everything
beeing RSBAC only is somewhat chaos IMO. The only good way for a global
switch would be adding a script that reads all files and such and then
automagically applies RSBAC rules so that all permissions are the same as
before but RSBAC controlled - and from what point secure modification is
possible.

> On Usenix conference, I heard people complain about any difference.
Specially
> many main kernel developers think that any general performance loss by
> possibly more security is not acceptable. For me, like you, performance is
less
> important than security.

I think that on systems where high performance is mandatory nobody would get
the anal idea to implement things like ACL or MAC anyways. If one really
needs much performance AND stuff like MAC at the same time then he or she
mostlikely is a company anyways since such a high load on modern systems
need many traffic or users. And if it's a company it shouldn't be that hard
to buy two PC's and cluster them together so that performance isn't an issue
anymore.

- Jörg Lübbert

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Go to Compuniverse LWGate Home Page.