me nuts... I have to copy and paste your replies.
trixter wrote:
> it also relies upon linux, and not everyone using asterisk is using
> linux. Anything that further ties asterisk to a particular operating
> system seems counterproductive.
>
> systrace would likely be a better unix alternative than selinux given
> what selinux does (generally speaking it adds a 3rd id to the uid/gid
> pair).
While systrace can be useful, it is yet another piece of software you need
to maintain and can open security bugs. Most of the 1.6x updates of
Systrace are due to CERT security bulletins or privilege escallation bugs.
It's great for making sure users on the box are being good, but since
we're talking about a server, not a multi-user login-able system, systrace
is more of a 3rd line of defense than 1st. Plus it may open you to MORE
risk, due to the occasional security bug in systrace, especially if you
aren't good at keeping up with the latest versions.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
Posts
No comments:
Post a Comment