Operating Systems > Linux and UNIX
Linux vs Windows a real life comparison
cymon:
--- Quote from: Aloone_Jonez ---Then the normal user should only be able to execute binarys from two directories one that contains the OS system files and the other containing user programs. However while this might be the most secure OS model it isn't practical at the moment as it'd break compatability with nearly all the old software.
--- End quote ---
Why? What would be the big deal with running from another directory? As long as the user has to specifically invoke the executable, who cares where it resides?
Aloone_Jonez:
Only allowing binary execution from two designated system directories which the user doesn't have permission to write to would stop the them from running an executable they've downloaded, received in an email or got from a CD or floppy disk, this would make it impossible for a them to infect the system with a virus.
cymon:
It would also make it physically impossible to install software. If you're going to do this, you have to have something like sudo. Also, Safari will check any files for executables, whether it's an archive, disk image, etc. It even detects .exe apps. I'm sure something like this could be implemented for mail.
Orethrius:
--- Quote from: cymon ---It would also make it physically impossible to install software.
--- End quote ---
Agreed. I happen to think application installs should *always* be confined to userspace, or better yet, an isolated subset thereof with zero write permissions to external directories. All temp files would be contained in the same directory, not particularly hard to pull off. That way, the worst any one program can do is wipe itself out.
--- Quote from: cymon ---If you're going to do this, you have to have something like sudo.
--- End quote ---
Unfortunately, as toadlife pointed out, sudo has its own set of problems. It's fine, however, if you can insure that you will be the only person EVER using your login (that means no installs of unchecked code in your userspace, or worse, /usr/bin).
--- Quote from: cymon ---Also, Safari will check any files for executables, whether it's an archive, disk image, etc.
--- End quote ---
I think we can all agree that this is "a good thing." However, if the end-user is uneducated regarding the proper action for unknown executables, they will just run them anyway. I have a buddy who's constantly cleaning out his PC because his idiot brother keeps clicking "Yes" to every download/install dialog he sees.
--- Quote from: cymon ---It even detects .exe apps. I'm sure something like this could be implemented for mail.
--- End quote ---
This HAS been implemented by numerous ISPs on numerous dates, only to later be repealed because poor Joe Averageguy can't read the .rtf(.vbs) that was sent to him by [email protected]. What ISPs need to start doing is educating customers about the dangers of viruses (being careful not to take the oh-so-infamous alarmist tone that turns Luddites off to new technologies completely), while simultaneously allowing themselves to lose a few customers that expect them to make decisions that endanger the whole of their subscriber base. There's something to be said about an uncompromisingly secure ISP, and word travels fast to the appropriate people.
Aloone_Jonez:
--- Quote from: cymon ---It would also make it physically impossible to install software. If you're going to do this, you have to have something like sudo.
--- End quote ---
That would be the plan, also you'd have to class scripts as executables too.
Another method might be to have a configuration file containing a list of paths and file names and checksums of approved executables that normal unprivilaged users can run but this might slow the system down a bit too much.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version