| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Jun 2011 15:57:38 -0700 (PDT) From: David Rientjes <rientjes@...gle.com> To: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, caiqian@...hat.com, Hugh Dickins <hughd@...gle.com>, KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>, Minchan Kim <minchan.kim@...il.com>, Oleg Nesterov <oleg@...hat.com> Subject: Re: [PATCH 1/6] oom: use euid instead of CAP_SYS_ADMIN for protection root process On Wed, 22 Jun 2011, KOSAKI Motohiro wrote: > Recently, many userland daemon prefer to use libcap-ng and drop > all privilege just after startup. Because of (1) Almost privilege > are necessary only when special file open, and aren't necessary > read and write. (2) In general, privilege dropping brings better > protection from exploit when bugs are found in the daemon. > You could also say that dropping the capability drops the bonus it is given in the oom killer. We've never promised any benefit in the oom killer badness scoring without the capability. > But, it makes suboptimal oom-killer behavior. CAI Qian reported > oom killer killed some important daemon at first on his fedora > like distro. Because they've lost CAP_SYS_ADMIN. > I disagree that we should be identifying "important daemons" by tying it the effective uid of the process and thus making some sort of inference because a thread was forked by root. I think it is more clear to tie that to an actual capability that is present, such as CAP_SYS_ADMIN, or suggest that the user give the "important daemon" it's own bonus by tuning /proc/pid/oom_score_adj. We already know that the kernel will not be able to identify critical processes perfectly, that's an assumption that we can live with. We must rely on userspace to influence that decision by using the tunable. If this patch were merged, I could easily imagine an argument in the reverse that would just simply revert it: it would be very easy to say that CAP_SYS_ADMIN has always given this bonus in recent memory so changing it would be a regression over the previous behavior and/or that giving the capability to a thread as it runs implies that it should have the bonus when the euid may not be 0. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists