Dailydave mailing list archives
Re: Re: Hacking's American as Apple Cider
From: Nick Drage <nickd () metastasis org uk>
Date: Wed, 14 Sep 2005 12:20:34 +0100
On Sat, Sep 10, 2005 at 08:30:32PM +0100, pageexec () freemail hu wrote:
on the 'default permit' issue: it is not the dumbest idea, it is the only way that can scale in systems. take a (not exactly big by any measure) company with 1000 users and 1000 executable files that these users need. that's an access control matrix with a million elements. you tell me how you fill it in and maintain it in a way that is feasible and cost effective in the long term.
When are users going to need *1000* executables? In a "standard" corporation / SME / whatever I would expect most people to only need up to 20 to do their day to day work. As for those 1000 users, there will be entire swathes of them that have the same requirements because they essentially carry out the same task or do the same job, so they are effectively just the one users... suddenly that million element control matrix looks a lot, lot simpler. I mean whitelisting this isn't trivial, especially for hosts, if it was we'd all be using SELinux by now, but at the moment Marcus looks like the special guest at a scarecrow convention, what with all the straw men being thrown his way... -- When the pin is pulled, Mr. Grenade is not our friend.
Current thread:
- Re: Hacking's American as Apple Cider Marcus J. Ranum (Sep 09)
- Re: Re: Hacking's American as Apple Cider Dave Aitel (Sep 10)
- Re: Re: Hacking's American as Apple Cider Drsolly (Sep 10)
- Re: Re: Hacking's American as Apple Cider Marcus J. Ranum (Sep 10)
- Re: Re: Hacking's American as Apple Cider Nigel Houghton (Sep 10)
- Re: Re: Hacking's American as Apple Cider halvar (Sep 11)
- Re: Re: Hacking's American as Apple Cider ol (Sep 11)
- Re: Re: Hacking's American as Apple Cider Nate McFeters (Sep 11)
- Re: Re: Hacking's American as Apple Cider Drsolly (Sep 10)
- Re: Re: Hacking's American as Apple Cider Dave Aitel (Sep 10)
- Re: Re: Hacking's American as Apple Cider Nick Drage (Sep 14)
- Re: Re: Hacking's American as Apple Cider pageexec (Sep 14)
- Re: Default Deny on Executables Dave Aitel (Sep 14)
- Re: Default Deny on Executables miah (Sep 14)
- Re: Default Deny on Executables Simon B (Sep 14)
- Re: Default Deny on Executables Kurt Seifried (Sep 14)
- RE: Default Deny on Executables Sash (Sep 14)
- Re: Default Deny on Executables Eduardo Tongson (Sep 14)