From: Athanasius <link@miggy.org>
To: Julien TINNES <jt@cr0.org>, linux-kernel <linux-kernel@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@suse.de>, Tavis Ormandy <taviso@sdf.lonestar.org>,
Christoph Hellwig <hch@infradead.org>,
Kees Cook <kees@ubuntu.com>, Eugene Teo <eugene@redhat.com>,
Athanasius <link@miggy.org>
Subject: Re: [link@miggy.org: Re: [patch 2/8] personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)]
Date: Sun, 19 Jul 2009 13:27:01 +0100 [thread overview]
Message-ID: <20090719122701.GJ6722@miggy.org> (raw)
In-Reply-To: <4A6278FD.20807@cr0.org>
On Sat, Jul 18, 2009 at 06:38:05PM -0700, Julien TINNES wrote:
> A process should be able to change it's own personality, there is no
> issue with this as long as we restrict the set of personalities which
> are preserved when the process gets new privileges.
And it's that "as long as we ..." that still bothers me. I've *never*
had any need for any use of this personality feature and this net/tun.c
exploit has proven there can be security gotchas with it. I'd prefer if
the whole thing were a kernel config option so I can easily turn it off
and have peace of mind that no future security bug discovered will
affect me.
No, I'd rather not look into using something like SELinux to turn off
one syscall, as that's introducing a whole extra layer of complexity.
Indeed the same exploit can instead make use of SELinux being misconfigured
by some vendors.
If the feature didn't already exist and was now proposed what are the
chances it would make it into the mainline kernel without having a
config option control it ? I'm wondering what its chances would be of
being accepted at all given the tentacles it seems to throw in all
directions (search for any of the actual personality feature flags in
the kernel source).
I'd also hazard that such ABI-compatibility with binaries from other
OSes is a feature the great majority of Linux users have never used and
now never will.
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
next prev parent reply other threads:[~2009-07-19 12:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090718202512.GA19587@suse.de>
[not found] ` <alpine.LFD.2.01.0907181342500.13838@localhost.localdomain>
2009-07-18 21:28 ` [link@miggy.org: Re: [patch 2/8] personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)] Athanasius
2009-07-19 1:38 ` Julien TINNES
2009-07-19 12:27 ` Athanasius [this message]
2009-07-19 19:27 ` Linus Torvalds
2009-07-19 19:39 ` Athanasius
2009-07-19 19:47 ` Linus Torvalds
2009-07-19 19:55 ` Andi Kleen
2009-07-19 22:01 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090719122701.GJ6722@miggy.org \
--to=link@miggy.org \
--cc=eugene@redhat.com \
--cc=gregkh@suse.de \
--cc=hch@infradead.org \
--cc=jt@cr0.org \
--cc=kees@ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=taviso@sdf.lonestar.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox