SELinux last straw
andy at warmcat.com
Wed Oct 17 20:03:25 UTC 2007
Somebody in the thread at some point said:
> Arthur Pemberton wrote:
>>> The shortcut test is to su to the user in question and try to access the
>>> file/device. The only slightly more complicated way is to walk down the
>>> path looking at the permissions for user/group/other on the file and the
>>> directories above.
>> Well, these "traditional" methods didn't work for your friend Karl,
>> since he was hacked with them.
> Perhaps he had a false sense of security from the supposed other layers
> claimed to be present, when paying attention to the obvious would have
> been more beneficial. That's the main reason I question the value of
> SELinux in the first place. It doesn't come into play unless you have
> already made a mistake with the simple things and it diverts attention
> and makes it appear to be unimportant to get those things right.
It's generally accepted that layers of security are a good thing.
Turning what you say around, relying on getting one brittle layer
completely right and having nothing behind it doesn't sound like a
Considering where the real hacks actually come from, you might get PHP
"safe mode" completely "right" but somebody knows a sneaky way out
anyway. If selinux is there to spew a log alert when he tries to spawn
a shell that is very valuable indeed.
More information about the users