| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Dec 2009 22:10:28 +0000 (UTC) From: daw@...berkeley.edu (David Wagner) To: linux-kernel@...r.kernel.org Subject: Re: RFC: disablenetwork facility. (v4) Pavel writes: > Policy may well be "If the network works, noone can > log in locally, because administration is normally done over > network. If the network fails, larger set of people is allowed in, > because something clearly went wrong and we want anyone going around > to fix it." Michael Stone writes: > Have you actually seen this security policy in real life? Pavel responds: > Actually, I've seen a *lot* of similar [..] policies. OK, so to translate: it sounds like the answer is No, you haven't seen this policy in real life. More to the point, the real question is whether this policy is embedded in code anywhere such that Michael's mechanism would introduce a new security hole, and if so, whether the cost of that would outweigh the benefit of his mechanism. I think the answer is, No, no one even has a plausible story for how this policy might appear in some legacy executable that would then be newly subvertible due to Michael Stone's policy. First off, this sounds like a pretty wacko policy. Second, it's unlikely to be embedded in a setuid-root executable that anyone can execute. Third, if there were such a setuid-root executable (which I've already argued is in fantasy land, but let's suppose pigs could fly and such a thing existed in practice), there are other ways to attack it: such as by using up all available file descriptors and then forking and execing that executable. Fourth, even if it existed, it would be a very rare one-off site-specific thing. But most importantly, we're way off the rails onto speculation. Of course you can always imagine some conceivable scenario under which any new mechanism might have unwanted side effects -- that's just the nature of any complex system -- but I don't see any reasonable argument at all that Michael's mechanism will cause more harm than good. Bottom lien: I agree with Michael Stone. I think this objection is weak. I think what Michael is trying to do has the potential to be very valuable and should be supported, and this is not a convincing argument against it. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists