On Fri, Oct 18, 2002 at 02:02:19AM -0700, Crispin Cowan wrote: > * root may not follow non-root symlinks in certain circumstances > (prevent some temp file attacks) > * non-root may not create a hard-link to root-owned files in certain > circumstances (prevent some other temp file attacks) > * may not ptrace root processes (preventing further recurrance of > the bugs in ptrace over the last year or so) > > These policies help a lot to secure a system. But these policies also > break some things, so it is good that they be a loadable module, and not > a proposed Linux patch. All three are actually very good examples on how your "Security" modules work around problems instead of fixing thev actual cause. Instead of adding hacks for tempfile races you rather want to give each user a private namesapace and it's own /tmp (IMHO we should also get rid of symlinks entirely, but they're in too wide use nowdays unfortunately). And ptrace _really_ _really_ needs to be replaced by a sane debug interface, like the plan9 procfs-based debugging. But instead of attaking these causes security folks like wirex just implement fuzzy busword mechanisms that are selable to managers. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 06:06:28 PDT