lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 8 Mar 2010 16:10:16 -0800 (PST)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Rik van Riel <riel@...hat.com>
cc:	Alan Cox <alan@...rguk.ukuu.org.uk>, Ingo Molnar <mingo@...e.hu>,
	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
	Kyle McMartin <kyle@...artin.ca>,
	Alexander Viro <viro@....linux.org.uk>
Subject: Re: Upstream first policy



On Mon, 8 Mar 2010, Rik van Riel wrote:
> 
> > But that thing is _independent_ from the other totally unrelated issue,
> > namely the fact that "/etc/passwd" is a special name in the namespace. In
> > other words, there is "content security", but then there is also
> > "namespace security".
> 
> ... what exactly does the namespace security protect against?
> 
> What is the threat model that the namespace security protects
> against, which is not protected by the content based security?

Umm? Seriously? 

What is _any_ security all about? You try to limit the opportunity for 
damage, accidental or not.

So let's take a trivial example. Let's say that you are root, and you edit 
/etc/shadow by hand. I've done it, you've probably done it, it's not 
rocket science. Now, you do it using any random editor, and most likely 
it's going to write the new file into a temp-file, and then rename that 
temp-file over the old file (perhaps creating a backup of the old file 
depending on editor and settings).

Now, think about what that implies for a moment. Especially consider the 
case that there were ACL's ("inode-based security") on the old /etc/passwd 
or /etc/shadow file that got moved away as a backup. What happened to 
those ACL's when you edited the file using a random editor?

Now, do you see what the difference between pathname-based and inode-based 
security is? Do you realize how if anybody wants to track accesses to 
/etc/shadow, they are not going to be interested in the _old_ backup copy 
of /etc/shadow?

				Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ