File monitoring and Obfuscation

gpb

Member

Reaction score: 16
Messages: 53

ehmmm only if the are in the root acount, also they cannot change system settings,so,dont install sudo
and choose a good root password, but for sure you already know this
Security in Linux and BSD hasn't really changed since UNIX was created. Plan 9 redesigned it. There is no root account or superuser; only a host owner, who doesn't have any special privileges (and don't say, but Ubuntu won't let you su to root. Yeah, and? It still uses sudo to get elevated privileges). Also central to Plan 9 security is the factotum, which securely holds a copy of the user’s keys and negotiates authentication protocols, on behalf of the user, with secure services around the network.

Security in Plan 9
 

wolffnx

Well-Known Member

Reaction score: 73
Messages: 402

Security in Linux and BSD hasn't really changed since UNIX was created. Plan 9 redesigned it. There is no root account or superuser; only a host owner, who doesn't have any special privileges (and don't say, but Ubuntu won't let you su to root. Yeah, and? It still uses sudo to have get privileges). Also central to Plan 9 security is the factotum, which securely holds a copy of the user’s keys and negotiates authentication protocols, on behalf of the user, with secure services around the network.

Security in Plan 9
I dont know plan 9...so..
you meant the popular "sudo su" ?
 

Lamia

Aspiring Daemon

Reaction score: 130
Messages: 576

That's the thing I was thinking about! Thank you.
And
 

ralphbsz

Daemon

Reaction score: 1,546
Messages: 2,477

Security in Linux and BSD hasn't really changed since UNIX was created.
While I agree that Plan 9 was actually designed from the lessons of the past ...

Unixes have changed a lot. ACLs, capabilities, secure levels, SELinux, encrypted disks, jails/VMs/..., leaving empty pages at the end of stacks and heaps, protecting executable code against being written, ...
And people have started paying attention to it. Like auditing code, testing, having government standards, ...

So it has changed a lot since Dennis and Ken.
 

mjollnir

Aspiring Daemon

Reaction score: 269
Messages: 658

On Solaris you can have two (or more) human persons share the traditional root (administrator) account. I.e. one can do some tasks (roughly related to what would be allowed for members of the operator group), but all other wheel members can see a log, and vital tasks need to be allowed rubber-stamped by both/all admins. Similar to the procedure to fire an atomic missile. Don't know how to do that on FreeBSD. IMHO that would be a really useful enhancement. EDIT IIRC that is called roles, i.e. you can make the root account a role. Then you can not log in as root anymore, but take that role when you need it.
 

mark_j

Well-Known Member

Reaction score: 172
Messages: 445

That's correct, RBAC is its name. And it's even more fine grained than you mention. You can basically eliminate root usage entirely. Anyone interested can read up about it. Is there anything similar in FreeBSD? Unfortunately not, more's the pity. It would be a major task to undertake, given it relies on shells, programs and the kernel to be modified. More doable on *BSD than say Linux, though.

I've administered it in the past, and it's a bit of a headache to set up but once set up you can give someone the role of printer administrator, access to just the web server etc. In environments with tight security enforcement its well liked.
 
Top