lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5j+ZawBrPbSXSYH9hU5LQqtgebOhkAkDMsxiraoNZkE7og@mail.gmail.com>
Date:	Fri, 17 Feb 2012 17:09:52 -0800
From:	Kees Cook <keescook@...omium.org>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Rik van Riel <riel@...hat.com>,
	Federica Teodori <federica.teodori@...glemail.com>,
	Lucian Adrian Grijincu <lucian.grijincu@...il.com>,
	Ingo Molnar <mingo@...e.hu>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Eric Paris <eparis@...hat.com>,
	Randy Dunlap <rdunlap@...otime.net>,
	Dan Rosenberg <drosenberg@...curity.com>,
	linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2012.2] fs: symlink restrictions on sticky directories

On Fri, Feb 17, 2012 at 3:42 PM, Andrew Morton
<akpm@...ux-foundation.org> wrote:
> On Fri, 17 Feb 2012 15:36:09 -0800
> Kees Cook <keescook@...omium.org> wrote:
>
>> > I think I disagree with this. __If the person compiling the kernel
>> > includes the feature in his kernel via the time-honoured process of
>> > "wtf is that thing? __Yeah, whatev", it gets turned on by default. __This
>> > could easily result in weird failures which would take a *long* time
>> > for an unsuspecting person to debug.
>> >
>> > Would it not be kinder to our users to start this out as
>> > turned-off-at-runtime unless the kernel configurer has deliberately
>> > gone in and enabled it?
>>
>> There was a fair bit of back-and-forth discussion about it.
>> Originally, I had it disabled, but, IIRC, Ingo urged me to have it be
>> the default. I can sent a patch to disable it if you want.
>
> What is the reasoning behind the current setting?

The logic is currently:

- from a security perspective, enabling the restriction is safer
- in the last many years, nothing has been found to be broken by this
restriction

The evidence for the second part mostly comes from people's
recollections using OpenWall, grsecurity, and lately Ubuntu. I can
speak from the Ubuntu history, which is that in the 1.5 years the
symlink restriction has been enabled, no bugs about it were reported
that I'm aware of (and I was aware of, and fixed, several of bugs in
the other restrictions that are carried in Ubuntu).

All that said, I'm fine with it being disabled by default since it can
be enabled at build or runtime with the current patch. Just say the
word. :)

Thanks,

-Kees

-- 
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ