From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L543a-0005S2-6G for garchives@archives.gentoo.org; Tue, 25 Nov 2008 19:58:46 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 79285E05A5; Tue, 25 Nov 2008 19:58:45 +0000 (UTC) Received: from yw-out-1718.google.com (yw-out-1718.google.com [74.125.46.156]) by pigeon.gentoo.org (Postfix) with ESMTP id 54597E05A5 for ; Tue, 25 Nov 2008 19:58:45 +0000 (UTC) Received: by yw-out-1718.google.com with SMTP id 5so81914ywm.46 for ; Tue, 25 Nov 2008 11:58:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=ZWY5VHrcEXwSPybtWKmzxElkygAWcFkTe+q8X+ctShU=; b=B0JWkXA0mHvel+H3w1i9EFJOIW/LcVSfTBPA/6almTEXkfIPDQI7NcJ5NJ9dBFhjcF JNDfFph5cFM0uw87I16quB7jb+/94cj8lKMJT86xuTRB4HdWI0IZn1fteQSNSdk7w3EO 6oDc+HuFIOWsrJxcMpZVHh1uQV90mTiRPro38= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=UsPxLqNMfKtCPOXn3Q+LS2jZSixhZ2199b3cyxfxGMhpKfAJEB5v2ZIAF7Se4/j2/v lRernUgUFJcCpMaEp2RfSIIQ02KNeF4uoCqw94nXqBBF87lZMQ/Zr9wbWl/mVe8kpkmn 3Ndje8A9HFsazhvxVESc2Y6xXI//FQ125PQhE= Received: by 10.142.199.10 with SMTP id w10mr2005930wff.94.1227643122680; Tue, 25 Nov 2008 11:58:42 -0800 (PST) Received: by 10.142.215.15 with HTTP; Tue, 25 Nov 2008 11:58:42 -0800 (PST) Message-ID: <4255c2570811251158n28f3274ch34e87a1a3f1eacb6@mail.gmail.com> Date: Tue, 25 Nov 2008 12:58:42 -0700 From: RB To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] hardened workstation - is that worth it? In-Reply-To: <200811251700.45540.janklodvan@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200811251700.45540.janklodvan@gmail.com> X-Archives-Salt: 0975d747-140f-4a23-98e7-504bcdc5ff40 X-Archives-Hash: 5aae565b924e3ac744458694288d7b6e On Tue, Nov 25, 2008 at 08:00, Jan Klod wrote: > Suppose, I want to take some extra precautions and set up PaX&co and MAC on a > workstation with Xorg and other nice KDE apps (only some of which should be > granted access to files in folder X). I would like to read others opinion, if > I can get considerable security improvements or I will have to make that much > of exceptions to those good rules, as it makes protection too useless? KDE (and to a lesser extent X) pretty much nullifies most application isolation efforts you're going to make. Even if you ran each application under a dedicated user and in its own chroot environment, the GUI provides IPC facilites that will readily bypass all your hard effort. As with your other email, clicking a link in one app opens a browser window in another, regardless of what user separation you might have - KDE does this under the covers, since it's what most users would actually want, but you perceive it as a security breach. "Extra precautions" is incredibly nebulous and you won't get much help in security circles unless you have specific, addressable concerns. You can do all the hardening you want, but generally speaking the more user-friendly and complex your system is the more security concessions you are going to have to make.