[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFxXS9z=NwoYug+qGoYufqN-6dCo4fm5ggTsoDonsMi4Dw@mail.gmail.com>
Date: Mon, 19 Sep 2011 09:40:19 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Balbir Singh <bsingharora@...il.com>
Cc: Vasiliy Kulikov <segoon@...nwall.com>,
Shailabh Nagar <nagar@...ibm.com>,
linux-kernel@...r.kernel.org, security@...nel.org,
Eric Paris <eparis@...hat.com>,
Stephen Wilson <wilsons@...rt.ca>,
KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
David Rientjes <rientjes@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Balbir Singh <balbir@...ux.vnet.ibm.com>,
kernel-hardening@...ts.openwall.com
Subject: Re: [Security] [PATCH 2/2] taskstats: restrict access to user
On Thu, Jun 30, 2011 at 8:02 PM, Balbir Singh <bsingharora@...il.com> wrote:
>>
>> So that's why I think it should be marked BROKEN. What applications
>> actually depend on this? iotop and what else? Because if it's just
>> iotop, I do suspect we might be better off telling people "ok,
>> disabling this will break iotop, but quite frankly, you're better off
>> without it".
>
> I beg to differ, due to the reasons above. I'd rather find time and
> fix the pending issues (network namespace), you've fixed the pid
> namespace issue. I'd also look for exiting listeners
So nothing ever happened on this thread, afaik.
You can still read sensitive information at a byte granularity with taskstats.
Balbir never sent any of the fixes he was supposed to, and none of the
namespace issues have gotten fixed.
It's now almost three months later, and things are still equally broken.
I think we need to just disable TASKSTAT's. Nobody maintains it, it's
been a known issue for months, people pointed out problems and even
sent patches, and nothing happened.
Maybe we can minimize it with the appended patch, but dammit, we need
to do *something*. If I don't get any reasonable replies, I'm really
going to have to mark this as known-BROKEN, since nothing ever
happens, and the "maintainer" clearly doesn't care about security
issues.
Linus
View attachment "patch.diff" of type "text/x-patch" (1481 bytes)
Powered by blists - more mailing lists