Re: [PATCH] remove sys_security

From: Christoph Hellwig (hchat_private)
Date: Fri Oct 18 2002 - 06:05:43 PDT

  • Next message: Christoph Hellwig: "Re: [PATCH] remove sys_security"

    On Fri, Oct 18, 2002 at 02:02:19AM -0700, Crispin Cowan wrote:
    >     * root may not follow non-root symlinks in certain circumstances
    >       (prevent some temp file attacks)
    >     * non-root may not create a hard-link to root-owned files in certain
    >       circumstances (prevent some other temp file attacks)
    >     * may not ptrace root processes (preventing further recurrance of
    >       the bugs in ptrace over the last year or so)
    > 
    > These policies help a lot to secure a system. But these policies also 
    > break some things, so it is good that they be a loadable module, and not 
    > a proposed Linux patch.
    
    All three are actually very good examples on how your "Security"
    modules work around problems instead of fixing thev actual cause.
    
    Instead of adding hacks for tempfile races you rather want to
    give each user a private namesapace and it's own /tmp (IMHO
    we should also get rid of symlinks entirely, but they're in too wide
    use nowdays unfortunately).
    
    And ptrace _really_ _really_ needs to be replaced by a sane debug
    interface,  like the plan9 procfs-based debugging.
    
    But instead of attaking these causes security folks like wirex just
    implement fuzzy busword mechanisms that are selable to managers.
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 06:06:28 PDT