lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4EB84F05.1000704@zytor.com>
Date:	Mon, 07 Nov 2011 13:35:01 -0800
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
CC:	Vasiliy Kulikov <segoon@...nwall.com>,
	Eric Paris <eparis@...isplace.org>,
	kernel-hardening@...ts.openwall.com, Valdis.Kletnieks@...edu,
	linux-kernel@...r.kernel.org,
	Alexey Dobriyan <adobriyan@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-security-module@...r.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH] proc: restrict access to /proc/interrupts

On 11/07/2011 01:23 PM, Linus Torvalds wrote:
> On Mon, Nov 7, 2011 at 12:47 PM, H. Peter Anvin <hpa@...or.com> wrote:
>>
>> You didn't really get my point.  There are global nodes which are
>> dynamic, and more importantly the *set* changes across the system life.
>>  A global policy option is a lot easier to deal with for the vast
>> majority of users who don't need fine grain control.
> 
> I want *one* global policy that the kernel would actually know about:
> is the user physically at the machine right now.
> 
> Sadly, I don't think the kernel has any good way to figure that out
> automatically.
> 
> Because quite frankly, a lot of the /proc files should be "root or
> desktop user". If you control the hardware, you should damn well be
> able to see the interrupt counts in order to do bug reports etc
> without having to 'sudo' or similar.
> 
> I realize that pam & co could give us this info, or we could just add
> a new capability flag, but I think this is something where the kernel
> really could just do the RightThing(tm) automatically, and screw the
> crazy login managers, odd policies (I really don't believe that adding
> magic selinux rules actually improves security all that much, because
> it's too painful and too hard to know for any normal user).
> 
> The person in front of the hardware really *is* fundamentally special.
> 
> Right now all the distros do magic things with the audio device
> because they know the person in front of the machine is special. But
> all those things are ad-hoc per device, and never cover things like
> random /proc files etc.
> 

I was going to say "let's just have the login manager add a group to the
desktop user's permission set" but then I realized that this would be
really bad because of setgid files.

Which exposes a real problem with chgrp and setgid files overall.

The way setgid works effectively means that any user can become a member
of any group that they have at any time been a member of, simply by
"stashing" a copy of the group as a setgid file:

	cp /bin/sh my-saved-group
	chgrp mygroup my-saved-group
	chmod g+s my-saved-group

This is rather messy, because gids are otherwise a very nice capability
mechanism.

	-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ