[lug] KDE
D. Stimits
stimits at idcomm.com
Tue Jan 8 15:53:30 MST 2002
rm at fabula.de wrote:
>
> On Tue, Jan 08, 2002 at 09:55:28AM -0600, Peter Hutnick wrote:
> > jeremy wrote:
> >
> > >Hello
> > >
> > >Does any one know of a great link to lock down a KDE session. I am using
> > >the Linux Terminal Server Project, and would like to make it really hard
> > >for my users to open unauthorized programs, and get into any mischief.
> > >
> > >I would like this config to be system wide so I would not have edit each
> > >users .kde/share/config, or whatever config. Are there Security Policies
> > >in Linux (Redhat 7.2) that are simular to a Windows2000 active directory
> > >group policy?
> > >
> > >Thanks for your time
>
> Yes, for the problem stated i'd go with group permissions, that _should_
> be enough.
>
> > UNIX has a pretty powerful security model. Why try to re-invent this in
> > the window manager? Even if you have some great answer to that,
> > wouldn't a user be able to easily side-step that "security" by not using
> > KDE?
> >
> > I think you should look into using file modes/ownership and user groups
> > to manage this. This all works largely the way it works in NT/Win2k.
> > Did you think that that stuff was MS innovation? (They call file modes
> > "NTFS permissions".)
> >
>
> The classic *NIX/Linix security model does show it's age. File access
> limitation and a rather coarse ulimit are ok in a "friendly" environment
> but probably not enough for some higher security demands. There's a reason
> for advanced security features in some *NIX OSs (AIX uses ACLs for example)
> and for the security patches by the NSA. or have a look at some of BSD's
> security features for example. The fact that even root isn't allowed to
> do everything is a big help in certain situations -- most of the recent
> expoits would just not work.
> BTW, not _everything_ comming from MS is bad, and not every feature NT
> has is snarfed from *NIX :-) One of NT's prominent ancessors is VMS/VAX,
> an OS that had some pretty nice security features too ....
Some filesystems support permissions beyond the usual user/group/other.
The XFS filesystem supports more advanced Access Control Lists (ACL's
for short) that go far beyond this course granularity. Check out:
http://oss.sgi.com/projects/xfs/features.html
The only thing is that XFS is not supported without getting an XFS
kernel. But if you do this and mount a data and non-system bin
partition, you can do extraordinary things. You *must* be certain that
the version you get is considered "good", there are patches for various
kernel numbers, even for RH kernels to install by, but you want a solid
version for your running system; if you do not need to run your root
partition on XFS, this is trivial. And XFS is *very* good performance
and meta journalling.
D. Stimits, stimits at idcomm.com
>
> Ralf Mattes
> > -Peter
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list