Crispin Cowan wrote: >It's a subtle distinction, but basically I am not concerned about rogue >root shells, because >they should not exist. I don't *want* to have to be concerned about >rogue nobody shells, >because it is very difficult to ensure that they never exist. My philosophy is a bit different. I always assume that if someone can get access to a nobody shell on my machine, they can get root access. This assumption has borne out extremely well in practice: The number of local exploits is too huge to keep track of. Therefore, in my view, you should be confining those nobody shells, if you think the attacker can gain control of them. If you then make the assumption that all malicious processes are confined, I don't think you have to worry so much about the million-symlink attack. The truly troublesome concern (IMHO) would be if some non-malicious local process with good intentions created a symlink that let a confined application violate the security policy, but as far as I know this isn't an issue for SubDomain. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 20:23:31 PDT