On Wednesday, February 7, 2024, Joel Jacobson <
joel@compiler.org> wrote:
On Fri, Sep 8, 2023, at 23:43, Magnus Hagander wrote:
> We need a "allowlist" of things a user can do, rather than a blocklist
> of "they can do everything they can possibly think of and a computer
> is capable of doing, except for this one specific thing". Blocklisting
> individual permissions of a superuser will never be secure.
+1 for preferring an "allowlist" approach over a blocklist.
The status quo is allow everything so while the theory is nice it seems that requiring it to be allowlist is just going to scare anyone off of actually improving matters.
Also, this isn’t necessarily about blocking the superuser, it is about effectively disabling features deemed undesirable at runtime. All features enabled by default seems like a valid policy.
While the only features likely to be disabled are those involving someone’s definition of security the security policy is still that superuser can do everything the system is capable of doing.
David J.