From: Andrea Arcangeli <andrea@suse.de>
To: Christoph Hellwig <hch@infradead.org>,
Wim Coekaerts <wim.coekaerts@oracle.com>,
Andrew Morton <akpm@osdl.org>,
cw@f00f.org, linux-kernel@vger.kernel.org
Subject: Re: 2.6.6-mm1
Date: Wed, 12 May 2004 04:44:25 +0200 [thread overview]
Message-ID: <20040512024425.GV3829@dualathlon.random> (raw)
In-Reply-To: <20040511072329.D12187@infradead.org>
On Tue, May 11, 2004 at 07:23:29AM +0100, Christoph Hellwig wrote:
> On Mon, May 10, 2004 at 06:51:18PM -0700, Wim Coekaerts wrote:
> > > err, so why did I just merge the hugetlb_shm_group patch?
> >
> > because of what you mentioned. it takes a long time before that goes
> > out, it's not even tested, and it doesn't apply to those 1000's of
> > existing systems taht will break on upgrade. exactly what you said, it
> > makes it possible to get to a different way smoothly in time. my
> > comments were not "we can use it today".
>
> So it's a hack for legacy oracle versions. nice. and for that we
> introduce completely alien concepts like magic groups into the kernel..
I don't see why we're trying to complicate the simple things.
I posted a disable_cap_mlock patch several weeks ago, that's the only
needed thing.
Even if there's an attacker on the machine with disable_cap_mlock == 1,
the attacker won't be able to exploit anything, it can only generate a
DoS. The cap-mlock is clearly not nearly as security-critical as most
other capabilities.
There's no reason to get the "hack" any smarter than the disable_cap_mlock
approch, any sysctl will be still an hack anyways. The group thing and
the differentiation between hugetlbfs users and mlock users (like
SHM_LOCK) is a mere attempt to make it more secure, but if you can
change the disable_cap_mlock sysctl from 0 to 1 you for sure can also
change the hugetlb_shm_group from 0 to 500 and the same for the
mlock_group too. Plus I can want to give mlock to the whole system at
the same time, not just to a single group, and for that
disable_cap_mlock is appropriate.
I'm quite confortable to say that disable_cap_mlock can be dropped in
2.8, by that time a replacement solution will be implemented and I don't
expect any application learning about the disable_cap_mlock name, they
really shouldn't, only the bootup procedure of the OS will know about it
and only the login/su will learn about the future replacement.
So I believe the best "hack" is to use the simple disable_cap_mlock and
to concentrate all the efforts on a more flexible solution involving
userspace changes. The one suggested by Andrew by simply dropping the
capabilities in login and su sounded very appealing to me.
next prev parent reply other threads:[~2004-05-12 2:44 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-10 9:45 2.6.6-mm1 Andrew Morton
2004-05-10 10:52 ` 2.6.6-mm1 Dominik Karall
2004-05-10 11:18 ` 2.6.6-mm1 Dave Jones
2004-05-10 12:20 ` 2.6.6-mm1 Nick Piggin
2004-05-10 12:22 ` 2.6.6-mm1 Dave Jones
2004-05-10 12:35 ` 2.6.6-mm1: FB_ASILIANT: no help text Adrian Bunk
2004-05-10 12:45 ` 2.6.6-mm1: a different CONFIG_STANDALONE approach Adrian Bunk
2004-05-10 12:57 ` Adrian Bunk
2004-05-10 20:00 ` Andrew Morton
2004-05-10 14:38 ` 2.6.6-mm1 Norberto Bensa
2004-05-10 14:55 ` 2.6.6-mm1 Dominik Karall
2004-05-10 15:02 ` 2.6.6-mm1 Norberto Bensa
2004-05-10 15:22 ` 2.6.6-mm1 Dominik Karall
2004-05-10 15:33 ` 2.6.6-mm1 Norberto Bensa
2004-05-10 15:20 ` 2.6.6-mm1 Christoph Hellwig
2004-05-11 5:21 ` 2.6.6-mm1 Andrew Morton
2004-05-10 21:37 ` 2.6.6-mm1 Christoph Hellwig
2004-05-10 22:02 ` 2.6.6-mm1 Andrew Morton
2004-05-10 22:05 ` 2.6.6-mm1 Christoph Hellwig
2004-05-10 22:15 ` 2.6.6-mm1 Andrew Morton
2004-05-10 22:20 ` 2.6.6-mm1 Christoph Hellwig
2004-05-10 22:47 ` 2.6.6-mm1 Andrew Morton
2004-05-10 22:48 ` 2.6.6-mm1 Christoph Hellwig
2004-05-10 23:16 ` 2.6.6-mm1 Matt Mackall
2004-05-10 22:27 ` 2.6.6-mm1 Valdis.Kletnieks
2004-05-10 22:48 ` 2.6.6-mm1 Andrew Morton
2004-05-10 23:01 ` 2.6.6-mm1 Valdis.Kletnieks
2004-05-10 23:11 ` 2.6.6-mm1 Chris Wedgwood
2004-05-10 23:14 ` 2.6.6-mm1 Christoph Hellwig
2004-05-10 23:28 ` 2.6.6-mm1 Andrew Morton
2004-05-10 23:33 ` 2.6.6-mm1 Chris Wedgwood
2004-05-10 23:51 ` 2.6.6-mm1 Andrew Morton
2004-05-10 23:53 ` 2.6.6-mm1 Chris Wedgwood
2004-05-11 0:14 ` 2.6.6-mm1 Andrew Morton
2004-05-11 0:24 ` 2.6.6-mm1 Wim Coekaerts
2004-05-11 1:10 ` 2.6.6-mm1 Andrew Morton
2004-05-11 1:51 ` 2.6.6-mm1 Wim Coekaerts
2004-05-11 6:23 ` 2.6.6-mm1 Christoph Hellwig
2004-05-12 2:44 ` Andrea Arcangeli [this message]
2004-05-12 5:11 ` 2.6.6-mm1 Chris Wedgwood
2004-05-11 15:12 ` 2.6.6-mm1 Wim Coekaerts
2004-05-12 5:42 ` 2.6.6-mm1 Christoph Hellwig
2004-05-12 5:50 ` 2.6.6-mm1 Christoph Hellwig
2004-05-11 6:22 ` 2.6.6-mm1 Christoph Hellwig
2004-05-11 6:21 ` 2.6.6-mm1 Christoph Hellwig
2004-05-11 6:37 ` 2.6.6-mm1 William Lee Irwin III
2004-05-11 6:18 ` 2.6.6-mm1 Christoph Hellwig
2004-05-10 23:33 ` 2.6.6-mm1 Chris Wright
2004-05-11 1:59 ` 2.6.6-mm1 Matt Mackall
2004-05-11 14:34 ` 2.6.6-mm1 Stephen Smalley
2004-05-11 16:48 ` 2.6.6-mm1 Chris Wright
2004-05-12 12:49 ` 2.6.6-mm1 Sean Neakums
2004-05-12 19:26 ` 2.6.6-mm1 Andrew Morton
-- strict thread matches above, loose matches on Subject: below --
2004-05-10 12:43 2.6.6-mm1 Sid Boyce
2004-05-12 8:13 ` 2.6.6-mm1 Andrew Morton
2004-05-10 16:50 2.6.6-mm1 Sid Boyce
[not found] <fa.j4d62qo.1144tpk@ifi.uio.no>
[not found] ` <fa.gg699ad.b2omr9@ifi.uio.no>
2004-05-11 6:33 ` 2.6.6-mm1 Andy Lutomirski
2004-05-11 10:34 2.6.6-mm1 Sid Boyce
2004-05-11 14:49 2.6.6-mm1 Neil Schemenauer
2004-05-11 18:55 ` 2.6.6-mm1 Andrew Morton
2004-05-12 12:26 2.6.6-mm1 Sid Boyce
2004-05-12 15:27 2.6.6-mm1 Sid Boyce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040512024425.GV3829@dualathlon.random \
--to=andrea@suse.de \
--cc=akpm@osdl.org \
--cc=cw@f00f.org \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=wim.coekaerts@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.