From: Ingo Molnar <mingo@elte.hu>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Rik van Riel <riel@redhat.com>,
Federica Teodori <federica.teodori@googlemail.com>,
Lucian Adrian Grijincu <lucian.grijincu@gmail.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Eric Paris <eparis@redhat.com>,
Randy Dunlap <rdunlap@xenotime.net>,
Dan Rosenberg <drosenberg@vsecurity.com>,
linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH v2012.2] fs: symlink restrictions on sticky directories
Date: Sun, 19 Feb 2012 13:31:51 +0100 [thread overview]
Message-ID: <20120219123151.GA25900@elte.hu> (raw)
In-Reply-To: <CAGXu5j+ZawBrPbSXSYH9hU5LQqtgebOhkAkDMsxiraoNZkE7og@mail.gmail.com>
* Kees Cook <keescook@chromium.org> wrote:
> >> > I think I disagree with this. __If the person compiling
> >> > the kernel includes the feature in his kernel via the
> >> > time-honoured process of "wtf is that thing? __Yeah,
> >> > whatev", it gets turned on by default. __This could
> >> > easily result in weird failures which would take a *long*
> >> > time for an unsuspecting person to debug.
> >> >
> >> > Would it not be kinder to our users to start this out as
> >> > turned-off-at-runtime unless the kernel configurer has
> >> > deliberately gone in and enabled it?
> >>
> >> There was a fair bit of back-and-forth discussion about it.
> >> Originally, I had it disabled, but, IIRC, Ingo urged me to
> >> have it be the default. I can sent a patch to disable it if
> >> you want.
> >
> > What is the reasoning behind the current setting?
>
> The logic is currently:
>
> - from a security perspective, enabling the restriction is
> safer
> - in the last many years, nothing has been found to be
> broken by this restriction
>
> The evidence for the second part mostly comes from people's
> recollections using OpenWall, grsecurity, and lately Ubuntu. I
> can speak from the Ubuntu history, which is that in the 1.5
> years the symlink restriction has been enabled, no bugs about
> it were reported that I'm aware of (and I was aware of, and
> fixed, several of bugs in the other restrictions that are
> carried in Ubuntu).
I'd say all this current evidence suggests that it should be on
by default - having it off only helps attackers and hermite
systems.
So at minimum we should wait until the first regression report
before twiddling it off. I could be wrong though.
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@elte.hu>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Rik van Riel <riel@redhat.com>,
Federica Teodori <federica.teodori@googlemail.com>,
Lucian Adrian Grijincu <lucian.grijincu@gmail.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Eric Paris <eparis@redhat.com>,
Randy Dunlap <rdunlap@xenotime.net>,
Dan Rosenberg <drosenberg@vsecurity.com>,
linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v2012.2] fs: symlink restrictions on sticky directories
Date: Sun, 19 Feb 2012 13:31:51 +0100 [thread overview]
Message-ID: <20120219123151.GA25900@elte.hu> (raw)
In-Reply-To: <CAGXu5j+ZawBrPbSXSYH9hU5LQqtgebOhkAkDMsxiraoNZkE7og@mail.gmail.com>
* Kees Cook <keescook@chromium.org> wrote:
> >> > I think I disagree with this. __If the person compiling
> >> > the kernel includes the feature in his kernel via the
> >> > time-honoured process of "wtf is that thing? __Yeah,
> >> > whatev", it gets turned on by default. __This could
> >> > easily result in weird failures which would take a *long*
> >> > time for an unsuspecting person to debug.
> >> >
> >> > Would it not be kinder to our users to start this out as
> >> > turned-off-at-runtime unless the kernel configurer has
> >> > deliberately gone in and enabled it?
> >>
> >> There was a fair bit of back-and-forth discussion about it.
> >> Originally, I had it disabled, but, IIRC, Ingo urged me to
> >> have it be the default. I can sent a patch to disable it if
> >> you want.
> >
> > What is the reasoning behind the current setting?
>
> The logic is currently:
>
> - from a security perspective, enabling the restriction is
> safer
> - in the last many years, nothing has been found to be
> broken by this restriction
>
> The evidence for the second part mostly comes from people's
> recollections using OpenWall, grsecurity, and lately Ubuntu. I
> can speak from the Ubuntu history, which is that in the 1.5
> years the symlink restriction has been enabled, no bugs about
> it were reported that I'm aware of (and I was aware of, and
> fixed, several of bugs in the other restrictions that are
> carried in Ubuntu).
I'd say all this current evidence suggests that it should be on
by default - having it off only helps attackers and hermite
systems.
So at minimum we should wait until the first regression report
before twiddling it off. I could be wrong though.
Thanks,
Ingo
next prev parent reply other threads:[~2012-02-19 12:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-07 18:55 [kernel-hardening] [PATCH v2012.2] fs: symlink restrictions on sticky directories Kees Cook
2012-01-07 18:55 ` Kees Cook
2012-01-08 11:44 ` [kernel-hardening] " Matthew Wilcox
2012-01-08 11:44 ` Matthew Wilcox
2012-01-08 17:53 ` [kernel-hardening] " Kees Cook
2012-01-08 17:53 ` Kees Cook
2012-01-08 17:53 ` Kees Cook
2012-02-17 23:24 ` [kernel-hardening] " Andrew Morton
2012-02-17 23:24 ` Andrew Morton
2012-02-17 23:36 ` [kernel-hardening] " Kees Cook
2012-02-17 23:36 ` Kees Cook
2012-02-17 23:42 ` [kernel-hardening] " Andrew Morton
2012-02-17 23:42 ` Andrew Morton
2012-02-18 1:09 ` [kernel-hardening] " Kees Cook
2012-02-18 1:09 ` Kees Cook
2012-02-19 12:31 ` Ingo Molnar [this message]
2012-02-19 12:31 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120219123151.GA25900@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=drosenberg@vsecurity.com \
--cc=eparis@redhat.com \
--cc=federica.teodori@googlemail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucian.grijincu@gmail.com \
--cc=rdunlap@xenotime.net \
--cc=riel@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.