Re: Solaris 11 is a bit Twilight Zone

[William McVey <wam () cisco com>]

On Wed, 2006-11-01 at 08:42 -0500, Dave Aitel wrote:
> Zones, Roles, Permissions, blah blah. No one in their right mind is
> going to use this. The people who I talked to were all looking for a
> way to move to Linux but needed realtime kernel support, which is
> coming soon, I think. 

I'm kind of surprised to see you mark these features marked off as both
too complicated for real world use. Zones, roles, and obviously
permissions aren't new and there are equivalent features (with
equivalent complexity) in most other modern operating systems, including
obviously Linux. Zones and Containers a have been around since at least
Solaris 10 going back as back 2004. I can tell you first hand, server
virtualization in the data center is a big technology push and Solaris
Containers are a really powerful player in this field. The motivation to
deploy a container might not originate from security motivations in all
cases, but I can clearly see it becoming a tool in a practitioner's
arsenal for segmenting and partitioning users.

Solaris's role base access control and permission infrastructure go back
even further to Solaris 8 and never struck me as any more complicated
than the other fine grain access control alternatives out there
(including both generic Linux Capabilities or SE-Linux style mandatory
access controls.)

Administrators can obviously go crazy in tweaking the deployments of
RPAC or Zones/Containers but from a technology standpoint, I don't see
the complexity of these solutions as being enough to deter them from
large scale deployments in the enterprise.

  -- William
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave