Re: Re: Hacking's American as Apple Cider

[Nick Drage <nickd () metastasis org uk>]

On Sat, Sep 10, 2005 at 08:30:32PM +0100, pageexec () freemail hu wrote:

> on the 'default permit' issue: it is not the dumbest idea, it is the
> only way that can scale in systems. take a (not exactly big by any
> measure) company with 1000 users and 1000 executable files that these
> users need. that's an access control matrix with a million elements.
> you tell me how you fill it in and maintain it in a way that is
> feasible and cost effective in the long term.

When are users going to need *1000* executables?  In a "standard"
corporation / SME / whatever I would expect most people to only need up
to 20 to do their day to day work.  As for those 1000 users, there will
be entire swathes of them that have the same requirements because they
essentially carry out the same task or do the same job, so they are
effectively just the one users... suddenly that million element control
matrix looks a lot, lot simpler.

I mean whitelisting this isn't trivial, especially for hosts, if it was
we'd all be using SELinux by now, but at the moment Marcus looks like
the special guest at a scarecrow convention, what with all the straw men
being thrown his way...

-- 
When the pin is pulled, Mr. Grenade is not our friend.