lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 13 Feb 2013 16:25:48 -0800
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Casey Schaufler <casey@...aufler-ca.com>
CC:	Matthew Garrett <matthew.garrett@...ula.com>,
	Borislav Petkov <bp@...en8.de>,
	Kees Cook <keescook@...omium.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"x86@...nel.org" <x86@...nel.org>,
	"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
	linux-security-module <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] x86: Lock down MSR writing in secure boot

On 02/13/2013 02:58 PM, Casey Schaufler wrote:
>>
>> This is exactly the kind of thinking which has led to the capability
>> system being so bloody useless.
> 
> The reason the capability system is "bloody useless" is
> that no one wants to update the core system applications to
> use it in favor of good old fashioned worked for dad and
> works for me too superuser.
> 

Because, in large part because a bunch of the capabilities are so close
to equivalent to "superuser" that the distinction is meaningless... so
why go through the hassle?  (This is especially so since it was a *long*
time before the filesystem had any notion of capabilities, and so you
had to make your app run as root anyway before you could drop the
capabilities... and some of the people who tried failed spectacularly
and opened up new security holes.)

> 
> I understand that you want capabilities to be associated with
> resources. That is *not* what we have, and arguing that its
> what we should have is pointless because Linux does not even
> have a concept of resources.
> 

OK, fine, call it "activities".  This is still distinct from "usage
models", and that's where we're just broken.

I may look into seeing if there is any sane way we can use the existing
API to define hierarchical capabilities, which at least should let us
split existing capabilities just like we used capabilities to split root.

	-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ