Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

People would just be more creative; a curl url | sh, that script copies rm from bin to current directory, executes it there etc.

Might help in a few cases, but would lul people into a false sense of security.



Just make it work at the kernel syscall level. Maybe make it so you can have policies where syscalls can only affect some directories.

Maybe we should call it "selinux"


Of course, but that has a reputation as being hard to set up into a configuration that doesn't get in the way.


Ah, yes, and not allowing deleting files or changing permissions and so on would give you security without ever getting in the way. Silly me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: