lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Apr 2014 14:25:30 -0400 From: Vivek Goyal <vgoyal@...hat.com> To: Andy Lutomirski <luto@...capital.net> Cc: Simo Sorce <ssorce@...hat.com>, David Miller <davem@...emloft.net>, Tejun Heo <tj@...nel.org>, Daniel Walsh <dwalsh@...hat.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, lpoetter@...hat.com, cgroups@...r.kernel.org, kay@...hat.com, Network Development <netdev@...r.kernel.org> Subject: Re: [PATCH 2/2] net: Implement SO_PASSCGROUP to enable passing cgroup path On Wed, Apr 16, 2014 at 11:13:31AM -0700, Andy Lutomirski wrote: [..] > > Ok, so passing cgroup information is not necessarily a problem as long > > as it is not used for authentication. So say somebody is just logging > > all the client request and which cgroup client was in, that should not > > be a problem. > > Do you consider correct attribution of logging messages to be > important? If so, then this is a kind of authentication, albeit one > where the impact of screwing it up is a bit lower. So not passing cgroup information makes attribution more correct. Just logging of information is authentication how? Both kernel and user space log message into /var/log/messages and kernel messages are prefixed with "kernel". So this somehow becomes are sort of authentication. I don't get it. > > > > > I agree that before somebody uses cgroup information for authentication > > purposes, may be there needs to be a bigger debate whether this info > > can be used safely for authentication purposes or not and in what > > circumstances it is safe to use for authentication. > > I thought that the original intended user of these patches was SSSD. > I have no idea what SSSD wanted them for, but I think it may better. SSSD wanted to use this information too. And I think this is a good time to revisit and discuss can cgroup information be used safely for authentication or not. > > > > > But that does not mean that API to pass the cgroup information around is > > wrong. > > > > It may not be wrong, but it might be extremely difficult or impossible > to use it safely. I think that's something to avoid. Atleast I can't see a problem with logging example yet. Thanks Vivek -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists