lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 7 Nov 2011 23:29:15 +0400
From:	Vasiliy Kulikov <segoon@...nwall.com>
To:	kernel-hardening@...ts.openwall.com
Cc:	Valdis.Kletnieks@...edu, linux-kernel@...r.kernel.org,
	Alexey Dobriyan <adobriyan@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-security-module@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [kernel-hardening] Re: [PATCH] proc: restrict access to
 /proc/interrupts

On Mon, Nov 07, 2011 at 11:18 -0800, H. Peter Anvin wrote:
> On 11/07/2011 11:01 AM, Vasiliy Kulikov wrote:
> > 
> > What's wrong with old good DAC?  You can create a group "sysinfo", do
> > "chown sysinfo /proc/interrupts", and add the permitted users to the
> > group.  If you need to give different access levels to different interrupts,
> > you need another /proc/interrupts design, it does nothing with DAC vs. LSM.
> > 
> 
> I would like to propose that we add a mount option to procfs, and
> possibly sysfs, called, say, admingrp.

Similar proposals:

(procfs for /proc/$PID/* permissions, sorry about different threads)
https://lkml.org/lkml/2011/6/15/172
https://lkml.org/lkml/2011/6/15/174
https://lkml.org/lkml/2011/6/15/173
https://lkml.org/lkml/2011/6/15/177
https://lkml.org/lkml/2011/6/15/175
https://lkml.org/lkml/2011/6/15/176

(change uid/gid for newly created sysfs objects)
https://lkml.org/lkml/2011/5/18/272


As to procfs, I see no real need of adding mode/group mount option for
global procfs files (/proc/interrupts, /proc/stat, etc.) - it can be
done by distro specific init scripts (chown+chmod).  I don't mind
against such an option for the convenience, though.


> The current Linux trend seems to be do instead force those users to
> become root constantly, which is *not* helping the situation.

Agreed.


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ