Re: A Comment from User Space

From: jmjonesat_private
Date: Sat Apr 21 2001 - 06:24:29 PDT

  • Next message: jmjonesat_private: "Re: A Comment from User Space"

    On 21 Apr 2001, David Wagner wrote:
    
    > Crispin Cowan  wrote:
    > >Applications that do want to learn this kind of thing normally use the
    > >access() system call, and that call should continue to function.
    > 
    > It may be relevant to also mention that applications that want to
    > call access() or equivalent are also often broken, so any policy
    > module that supports such apps might also be referred to as "broken"
    > from another viewpoint. :-)
    
    "What we have here, is a failure to communicate..."
    
    It seems to me that we're at the end of a resolution of two schools of 
    thought with regard to application design: security-aware-politeness and 
    security-confident-directness.  
    
    Some of us have stated we'd like our applications to be able to query 
    the module about their permissions/capabilities and code the applications
    to make decisions about how to proceed and provide meaningful information
    to the user over and above "permission denied.", others (mostly on the 
    kernel hacking / security side) don't think it's desirable to provide 
    this information because "information is power" and you don't want to 
    hand off that sort of power to userspace.
    
    I've jumped the fence, personally, after careful consideration.  I don't
    see any persuasive reason WHY an application NEEDS to have the ability
    to map out policies in such a manner unless it's actually looking for 
    holes.  Just go ahead and open or bind or fork/exec ... and if it comes
    back failure tell the user/admin ... who would *theoretically* know about 
    the policies and can make a decision about if it's appropriate for the 
    program to do what it tried to do.
    
    I don't think security-aware-polite programs are "broken" if they want
    to use access() to "size up the situation", but, it would seem to me,
    an advantage of an LSM in the first place is to harden the underbelly
    enough that applications DON'T REALLY NEED to provide too much of their
    own security checking on an application by application basis.  Good
    programs will never see the policy restrictions (once the poor bedraggled 
    admin has them set up properly to support the program), and a cracked
    program... well, hopefully it'll run into a brick wall.
    
    (Sorry, I tend to think in English before I think in C, but I'm setting 
    up a system today stand alone and will apply the patches as they come 
    along, and hopefully get some insight as to the "strategy" in a reverse
    sort of way... and generate less "noise" here. :))
    
    Sincerely,
    J. Melvin Jones
     
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 06:26:03 PDT