[Lvlug] Security: Program Whitelist
rhkramer at gmail.com
Sat Apr 15 09:58:00 EDT 2006
Thanks to all who replied!
Doh, don't know why I didn't think about the x bit, looks like that does deal
with most of the problem (will have to think some more--I guess if somebody
substitutes a hacked version of a program, that person must also set the x
bit on that hacked version--I guess I can test that out.)
page running in a browser. Does the x bit affect those? I see that Scott
mentions (below) "signed applets and whatnot, restricted access for
executeable"--I guess the restricted access is security set up by your
browser? (I.e., allowing or not-allowing such scripts to run, usually
Hmm, would it make sense to run your browser in a chroot jail? Probably
not--presumably all the other stuff you want to use (and files you want to
preserve) are in that same chroot jail, and thus "exposed".
So, why am I asking these questions? More or less idle curiosity--I'd sort of
like to know how I might increase security on my system, but I'm not really
aware of any problems at the moment, so ...
On Friday 14 April 2006 03:45 pm, Scott Piccotti wrote:
> On Apr 14, 2006, at 12:34 PM, Randy Kramer wrote:
> > I heard an interesting idea a few weeks ago, [...] a whitelist of
> > programs--only programs on that whitelist could run on your system.
> > [...] I just wondered if anybody here heard of that idea before
> This is the basic premise for security in Java, no? Signed applets
> and whatnot, restricted access for executeables. Same for ActiveX, I
> > [http://www.ranum.com/security/computer_security/editorials/dumb/]
> > The Six Dumbest Ideas in Computer Security
> Maybe it's just me, but I've always thought this article reads like a
> long, elaborate troll. It's more hindsight than insight.
> Quoth Ricardo:
> > Maybe it works on Windows,
> I wouldn't know how to begin attempting such a thing on windows. It
> always seems to do an "I know what's best for you" anyway.
> > It's not going to run unless you put it there and set it +x.
> Which means I actually *can* control what runs and what doesn't.
> Lvlug mailing list
> Lvlug at thelinuxlink.net
More information about the Lvlug