* Valdis.Kletnieksat_private <Valdis.Kletnieksat_private> [010423 19:23]: > You've got it backwards. We *know* that 'access()' is fundementally > screwed up. > > BUT WHAT IF IT ACTUALLY WORKED? Errr.. I'll need a lot more convincing before I think an access()-like function is a workable security measure. My reasoning (while I make no claim of originality in this reasoning): Program P makes check on "if I executed sequence S in security domain D will it succeed?" at time t_0. Program P performs sequence S in its own (presumably elevated) security domain d at time t_1. Between t_0 and t_1, program Q could change the floor out from underneath P. When t_1 finally roles around, the security domain D *would prevent* the execution. But at t_0, the security domain D said it *would allow* the execution. I think the whole idea is fundamentally flawed. Forcing module guys to implement an access()-like function (whether for information purposes or for broken security checking) doesn't seem right. If you want to support it in your module, go right ahead. But I don't think it should be forced on anyone -- because it cannot promise to be correct except in situations where their correctness doesn't matter. (i.e., when no one is actively attacking the system.) If you can present a method for an access()-like system to work reliably in all cases, I am sure I am not the only one who would love to see it. :) Cheers! -- Earthlink: The #1 provider of unsolicited bulk email to the Internet. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 20:09:02 PDT