Re: Re: Hacking's American as Apple Cider

[pageexec () freemail hu]

On 14 Sep 2005 at 12:20, Nick Drage wrote:
> On Sat, Sep 10, 2005 at 08:30:32PM +0100, pageexec () freemail hu wrote:
>
> > on the 'default permit' issue: it is not the dumbest idea, it is the
> > only way that can scale in systems. take a (not exactly big by any
> > measure) company with 1000 users and 1000 executable files that these
> > users need. that's an access control matrix with a million elements.
> > you tell me how you fill it in and maintain it in a way that is
> > feasible and cost effective in the long term.
>
> When are users going to need *1000* executables?  In a "standard"
> corporation / SME / whatever I would expect most people to only need up
> to 20 to do their day to day work.

you didn't pay attention, did you ;-). i said 'executable FILES',
not merely 'executables' for a reason. when you run firefox, you
not only get one 'executable' mapped into memory but 50 other
libraries as well (give or take a few, you get the idea). in the
'default deny' world that means that you would have to explicitly
exclude everything else 'executable' present in the system from
being able to load into firefox (in addition to all the 'executables'
that the given user is not supposed to run at all). ditto for all
the other 'executables' of course (including interpreters and the
scripts that can be fed into them). now, on my little development
system at last count i had something like 3000 'executables files',
presumably all of which i needed at one point in time (i.e., it's
not just some default install of some distro). if you look at what
a corporation of said magnitude (and that's not a big company as
i said) installs for different users, you will easily get the 1000
'executables files', all of which must be dealt with in the access
control matrix, should you want the 'default deny', that is.

>  As for those 1000 users, there will
> be entire swathes of them that have the same requirements because they
> essentially carry out the same task or do the same job, so they are
> effectively just the one users... suddenly that million element control
> matrix looks a lot, lot simpler.

well then, i'm waiting for the URL where i can buy the product that
does the work, everything else is empty speculation or wishful thinking,
which was kinda the point i was making. in security many people had
ideas that would give us so nice security if we could just overcome
this or that little detail, 'default deny' is no exemption to that.
 
> I mean whitelisting this isn't trivial, especially for hosts,

does the access control matrix look 'a lot, lot simpler' or is this
not trivial suddenly? somehow you can't have it both ways, i think ;-).

> if it was we'd all be using SELinux by now,

now you know the reason for that (SELinux not being any particular
example, other access control systems all run into the complexity
and scalability problem eventually).

> but at the moment Marcus looks like
> the special guest at a scarecrow convention, what with all the straw men
> being thrown his way...

what's the straw man here? you either apply 'default deny' consistently
(and end up in obviously silly situations, i.e., you just prove that
'default deny' is not 'better' than 'default permit' in all cases) or
you don't (then what's the 'default' in there?).

also, now that you responded to this part of my mail, what's with
a+x? do you agree that it's 'default permit' and hence insecure
according to the 'default deny' paradigm? if so, why are you using
it yourself? maybe because that's about the only sane and usable way
of doing it? ;-)