| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Mar 2010 18:18:21 -0500 From: Eric Paris <eparis@...isplace.org> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Alan Cox <alan@...rguk.ukuu.org.uk>, Ingo Molnar <mingo@...e.hu>, James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org, Kyle McMartin <kyle@...artin.ca>, Alexander Viro <viro@....linux.org.uk> Subject: Re: Upstream first policy On Mon, Mar 8, 2010 at 6:02 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: > Linus Torvalds <torvalds@...ux-foundation.org> writes: > >> On Mon, 8 Mar 2010, Alan Cox wrote: >>> >>> Quite untrue. I've actually *used* path based security systems (DEC10 >>> ACLs) and for almost every case its brain-dead. >>> >>> Imagine a world where this happened >> >> Alan, stop right there. >> >> You're making the same silly and incorrect mistake that Al did. >> >> Namely thinking that you have to have just one or the other. >> >> When you say "your /etc/passwd example is a special case", you are >> admitting that there are two different cases, but then after that, you >> still don't see the whole point I'm trying to make. >> >> Let me try again: >> >> THERE ARE DIFFERENT CASES >> >> That's the point. Just admit that, and then let the calm of "Ooh, there >> are different kinds of circumstances that may want different kinds of >> rules" permeate you. >> >> My whole (and only) argument is against the "only one way is correct" >> mentality. > > > Reading through all of this it occurred to me there is a case where > path names are fundamentally important shows up for me all of the > time. If pathnames were not fundamentally important we could apply > a patch like the one below and allow unprivileged users to unshare > the mount namespace and mount filesystems wherever. There is nothing > fundamental about those operations that require root privileges except > that you are manipulating the pathnames of objects. > > Unfortunately if we did that suid executables would become impossible > because they couldn't trust anything to start with. You do realize that with content based security systems the pathnames aren't important and you could implement your example patch? Sure a user could mount something on /lib and put their own files there, but since that user couldn't get them labelled correctly the suid app would not be able to use them and would fail. Users would have new and interesting way to break their computers! I thank you for your vote for content based security systems instead of pathname systems and look forward to your future contributions to either that body of knowledge or the bridging of the gap between the two *smile* -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists