lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrX3vDZsymwC=LK=oK0=QLZqyB2Nv4N8jcjsx2yp1rjBvg@mail.gmail.com>
Date:	Tue, 31 Mar 2015 11:29:02 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	Tom Gundersen <teg@...m.no>
Cc:	David Herrmann <dh.herrmann@...il.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Arnd Bergmann <arnd@...db.de>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
	Jiri Kosina <jkosina@...e.cz>,
	Linux API <linux-api@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Daniel Mack <daniel@...que.org>,
	Djalal Harouni <tixxdz@...ndz.org>
Subject: Re: [PATCH v4 00/14] Add kdbus implementation

On Tue, Mar 31, 2015 at 8:10 AM, Tom Gundersen <teg@...m.no> wrote:
> On Tue, Mar 31, 2015 at 3:58 PM, Andy Lutomirski <luto@...capital.net> wrote:
>>
>> IOW you're taking something that you dislike aspects of and shoving
>> most of it in the kernel.  That guarantees us an API in the kernel
>> that even the creators don't really like.  This is, IMO, very
>> unfortunate.
>
> This is a misrepresentation of what David wrote. We do want this API
> regardless of dbus1 compatibility, but compatibility is by itself a
> sufficient motivation. A further motivation is reliable introspection,
> since this meta-data allows listing current peers on the bus and
> showing their identities. That's hugely useful to make the bus
> transparent to admins.

I've heard the following use cases for per-connection metadata:

 - Authenticating to dbus1 services.

 - Identifying connected users for admin diagnostics.

I've heard the following use cases for per-message metadata:

 - Logging.

 - Authenticating to kdbus services that want this style of authentication.

The only reasonable conclusion I've been able to draw is that the dbus
community intends to use *both* per-connection and per-message
metadata for authentication.  This means that, as a general rule,
dropping privileges while you have an open kdbus connection has poorly
defined effects.

It's particularly alarming that, when I express a concern about
logging, the kdbus authors cite authentication as an alternate
justification, and, when I cite a concern about authentication, the
kdbus authors cite logging as an alternative justificaiton.

This is simply not okay for a modern interface, and in my opinion the
kernel should not carry code to support new APIs with weakly defined
security semantics.  It's important that one be able to tell what the
security implications of one's code is without cross-referencing with
the implementation of the server's you're interacting with.

To top that off, the kdbus policy mechanism has truly bizarre effects
with respect to services that have unique ids and well-known names.
That, too, is apparently for compatibility.

This all feels to me like a total of about four people are going to
understand the tangle that is kdbus security, and that's bad.  I think
that the kernel should insist that new security-critical mechanisms
make sense and be hard to misuse.  The current design of kdbus, in
contrast, feel like it will be very hard to use correctly.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ