[Lvlug] Security: Program Whitelist

Randy Kramer rhkramer at gmail.com
Sat Apr 15 09:58:00 EDT 2006 

Thanks to all who replied!

Doh, don't know why I didn't think about the x bit, looks like that does deal 
with most of the problem (will have to think some more--I guess if somebody 
substitutes a hacked version of a program, that person must also set the x 
bit on that hacked version--I guess I can test that out.)

The other problem I was thinking about was Java and Javascript from a web 
page running in a browser.  Does the x bit affect those?  I see that Scott 
mentions (below) "signed applets and whatnot, restricted access for 
executeable"--I guess the restricted access is security set up by your 
browser?  (I.e., allowing or not-allowing such scripts to run, usually 
(afaik) on a wholesale basis (allow Java/Javascript or not).)

Hmm, would it make sense to run your browser in a chroot jail?  Probably 
not--presumably all the other stuff you want to use (and files you want to 
preserve) are in that same chroot jail, and thus "exposed".

So, why am I asking these questions?  More or less idle curiosity--I'd sort of 
like to know how I might increase security on my system, but I'm not really 
aware of any problems at the moment, so ...

Comments welcome!

Randy Kramer

On Friday 14 April 2006 03:45 pm, Scott Piccotti wrote:
> On Apr 14, 2006, at 12:34 PM, Randy Kramer wrote:
> > I heard an interesting idea a few weeks ago, [...] a whitelist of
> > programs--only programs on that whitelist could run on your system.
> > [...] I just wondered if anybody here heard of that idea before
>
> This is the basic premise for security in Java, no? Signed applets
> and whatnot, restricted access for executeables. Same for ActiveX, I
> think.
>
> > [http://www.ranum.com/security/computer_security/editorials/dumb/]
> > The Six Dumbest Ideas in Computer Security
>
> Maybe it's just me, but I've always thought this article reads like a
> long, elaborate troll. It's more hindsight than insight.
>
> Quoth Ricardo:
> > Maybe it works on Windows,
>
> I wouldn't know how to begin attempting such a thing on windows. It
> always seems to do an "I know what's best for you" anyway.
>
> > It's not going to run unless you put it there and set it +x.
>
> Which means I actually *can* control what runs and what doesn't.
> Amazing!
>
>
> _______________________________________________
> Lvlug mailing list
> Lvlug at thelinuxlink.net
> https://www.thelinuxlink.net/mailman/listinfo/lvlug

More information about the Lvlug mailing list