On Friday 05 March 2004 03:34 pm, scott.marlowe wrote:
> Sorry, but that's the wrong answer. Once someone has root on a unix box
> her can do ANYTHING he wants. and he can cover his tracks.
This is what things like the capabilities system and SELinux are designed to
prevent in the Linux world. As Fedora Core 2 will ship with SELinux
installed and enabled, it will become much more difficult for someone to
randomly get root and do damage. It is quite simple with SELinux to prevent
any of the attacks you mentioned. Root is no longer root. Things on an
SELinux system, or a system fully implementing the kernel capabilities model,
can indeed be locked away from root, at least in network attached multiuser
mode. This does, of course, make maintenance of the data more difficult; one
must be at the console in a special mode to do full maintenance. But someone
remotely cracking root no longer is the threat they once were, when some
system like SELinux is in use.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu