Lennart Poettering wrote:
On Mon, 22.06.09 09:33, Arnold Krille
(arnold(a)arnoldarts.de) wrote:
You practically cannot take group membership away from a user after
you gave it to him, and also adding a seperate group for every tiny
bit you need to authorize access to doesn't scale.
security is a matter of good design, not of "oh, look, he has become
evil, let's revoke his privileges" ad-hockery.
it should never be necessary to automatically revoke rights from users.
if i have to get rid of a misbehaving creature fast, "passwd -l villain"
in combination with "mv ~villain/.ssh /tmp" and a quick pkill fixes
things for me. and the very good part is that this decision is made by a
human, not by some imperial shitload of policy that caters to the needs
of some mythical desktop user.
your rtkit cannot protect against anything, you can just play policy
catch-up with evildoers forever. that's about the same level of security
that outgoing firewalls in windows provide - you depend on process names
and whatnot, and if i rename "Internet Explorer.exe" to "Windows
Update.exe", i'm free to do as i please (not quite, but you get the idea).
this is *not security*. this is theater. proper security sometimes
includes the wisdom that certain threats cannot be met without throwing
out the child with the bathwater. some daemon fiddling with rt privs at
runtime in my book qualifies as drowning the child first, then throwing
it out. maybe eating it afterwards, but i'm not sure.