[Lias] Re: [acscomputers] Google rewrites?

John Summerfield summer at corridors.wa.edu.au
Wed Aug 24 19:37:02 UTC 2005 

Paul Gear wrote:

>>
>>they can use Google, but they gotta do it safely.
> 
> 
> But if you've got your preference set (as i do), the safe=strict part
> doesn't appear in the URL.  That's why i just want to add it to the end
> of every google search.

Oh.

That might be able to be locked down on each pc. I think local policies 
can be set to prevent their change.

I agree, fixing it in Squid is more easily done.

> 
>>...
>>
>>>>The example I saw only works properly if you limit to one copy.
>>>
>>>
>>>One copy running in memory?  That wouldn't work for us.  We have about
>>>400 end nodes, and if we have less than about 30 redirectors, it runs
>>>out regularly.
>>
>>That's why I changed it: all the tees in the example were writing to a
>>single file, each opening it itself. My version uses a different file
>>for each tee.
> 
> 
> Right - i'm with you now.
> 
> 
>>>>...
>>>>I ran this on WBEL 4 which has selinux enforcing nice behaviour. I could
>>>>not create the files in /tmp which, I suppose, is good.
>>>
>>>
>>>Not very application-friendly, though...
>>
>>Define "application-friendly."
> 
> 
> Not requiring applications to be rewritten in order to work correctly.

They don't need to be rewritten (unless they piss all over the place), 
just configured properly.

If you find a flaw in my web server or MTA, I don't want you uploading 
an IRC bot into /var/tmp or a root kit into /tmp and taking over the world.



> 
> 
>>If someone breaks your php application (not entirely unknown),
> 
> 
> Yeah - i got bitten by the PHP XMLRPC bug recently.  Cost me a bit of
> time reinstalling the box.  :-(

selinux _may_ have saved you the trouble

> 
> 
>>that someone doesn't get access to much more.
>>Sounds fairly friendly to me. One just has to learn to deal with it.
> 
> 
> I guess so.  If most apps use defined APIs for getting temporary file
> locations, they should work.

I've not installed many web applicationns, and none at all in any 
selinux-enabled systems.

I have a vhost that serves install (RH/WB/FC/Debian) files from 
/var/local. I was quite pleased when selinux prevented it. It was easily 
fixed, but I had to choose to do it.





> 
> 
>>...
>>Linux is now getting the level of security that's been available in
>>serious operating systems for decades, and I for one think it about time.
> 
> 
> Define "serious operating systems".  :-)

I used to work on IBM mainframes running MVS/SP (ACF/II) and its 
successors, and Facom mainframes running OSIV/F4 with RACF (both in the 
early 80s). The linux security is fairly feeble in comparison with what 
we had then.

For example, there was nothing analogous to the root user.




-- 

Cheers
John
Corridors College Western Australia

More information about the lias mailing list