From: "H. Peter Anvin" <hpa@zytor.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Vasiliy Kulikov <segoon@openwall.com>,
Eric Paris <eparis@parisplace.org>,
kernel-hardening@lists.openwall.com, Valdis.Kletnieks@vt.edu,
linux-kernel@vger.kernel.org,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-security-module@vger.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH] proc: restrict access to /proc/interrupts
Date: Mon, 07 Nov 2011 13:35:01 -0800 [thread overview]
Message-ID: <4EB84F05.1000704@zytor.com> (raw)
In-Reply-To: <CA+55aFwYGivYFZTLprSB+oDm3E4MG0s3PEQabs166v6YRL5u-Q@mail.gmail.com>
On 11/07/2011 01:23 PM, Linus Torvalds wrote:
> On Mon, Nov 7, 2011 at 12:47 PM, H. Peter Anvin <hpa@zytor.com> wrote:
>>
>> You didn't really get my point. There are global nodes which are
>> dynamic, and more importantly the *set* changes across the system life.
>> A global policy option is a lot easier to deal with for the vast
>> majority of users who don't need fine grain control.
>
> I want *one* global policy that the kernel would actually know about:
> is the user physically at the machine right now.
>
> Sadly, I don't think the kernel has any good way to figure that out
> automatically.
>
> Because quite frankly, a lot of the /proc files should be "root or
> desktop user". If you control the hardware, you should damn well be
> able to see the interrupt counts in order to do bug reports etc
> without having to 'sudo' or similar.
>
> I realize that pam & co could give us this info, or we could just add
> a new capability flag, but I think this is something where the kernel
> really could just do the RightThing(tm) automatically, and screw the
> crazy login managers, odd policies (I really don't believe that adding
> magic selinux rules actually improves security all that much, because
> it's too painful and too hard to know for any normal user).
>
> The person in front of the hardware really *is* fundamentally special.
>
> Right now all the distros do magic things with the audio device
> because they know the person in front of the machine is special. But
> all those things are ad-hoc per device, and never cover things like
> random /proc files etc.
>
I was going to say "let's just have the login manager add a group to the
desktop user's permission set" but then I realized that this would be
really bad because of setgid files.
Which exposes a real problem with chgrp and setgid files overall.
The way setgid works effectively means that any user can become a member
of any group that they have at any time been a member of, simply by
"stashing" a copy of the group as a setgid file:
cp /bin/sh my-saved-group
chgrp mygroup my-saved-group
chmod g+s my-saved-group
This is rather messy, because gids are otherwise a very nice capability
mechanism.
-hpa
next prev parent reply other threads:[~2011-11-07 21:35 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-07 17:45 [PATCH] proc: restrict access to /proc/interrupts Vasiliy Kulikov
2011-11-07 18:06 ` Valdis.Kletnieks
2011-11-07 19:01 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 19:01 ` Vasiliy Kulikov
2011-11-07 19:18 ` [kernel-hardening] " H. Peter Anvin
2011-11-07 19:18 ` H. Peter Anvin
2011-11-07 19:29 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 19:48 ` Eric Paris
2011-11-07 19:50 ` H. Peter Anvin
2011-11-07 20:11 ` Vasiliy Kulikov
2011-11-07 20:47 ` H. Peter Anvin
2011-11-07 21:23 ` Linus Torvalds
2011-11-07 21:35 ` H. Peter Anvin [this message]
2011-11-07 23:07 ` Linus Torvalds
2011-11-07 23:21 ` Alan Cox
2011-11-07 23:27 ` Greg KH
2011-11-07 23:40 ` Theodore Tso
2011-11-07 23:45 ` Alan Cox
2011-11-07 23:45 ` Greg KH
2011-11-08 20:07 ` Ted Ts'o
2011-11-09 16:14 ` Greg KH
2011-11-08 9:11 ` Vasiliy Kulikov
2011-11-08 13:23 ` Alan Cox
2011-11-08 17:41 ` Vasiliy Kulikov
2011-11-08 17:06 ` John Stoffel
2011-11-07 19:54 ` Vasiliy Kulikov
2011-11-07 20:10 ` Valdis.Kletnieks
2011-11-07 20:10 ` Valdis.Kletnieks
2011-11-07 20:19 ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 20:19 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EB84F05.1000704@zytor.com \
--to=hpa@zytor.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=eparis@parisplace.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=segoon@openwall.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.