public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: "H. Peter Anvin" <hpa@zytor.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Vasiliy Kulikov <segoon@openwall.com>,
	Eric Paris <eparis@parisplace.org>,
	kernel-hardening@lists.openwall.com, Valdis.Kletnieks@vt.edu,
	linux-kernel@vger.kernel.org,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-security-module@vger.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH] proc: restrict access to /proc/interrupts
Date: Mon, 07 Nov 2011 13:35:01 -0800	[thread overview]
Message-ID: <4EB84F05.1000704@zytor.com> (raw)
In-Reply-To: <CA+55aFwYGivYFZTLprSB+oDm3E4MG0s3PEQabs166v6YRL5u-Q@mail.gmail.com>

On 11/07/2011 01:23 PM, Linus Torvalds wrote:
> On Mon, Nov 7, 2011 at 12:47 PM, H. Peter Anvin <hpa@zytor.com> wrote:
>>
>> You didn't really get my point.  There are global nodes which are
>> dynamic, and more importantly the *set* changes across the system life.
>>  A global policy option is a lot easier to deal with for the vast
>> majority of users who don't need fine grain control.
> 
> I want *one* global policy that the kernel would actually know about:
> is the user physically at the machine right now.
> 
> Sadly, I don't think the kernel has any good way to figure that out
> automatically.
> 
> Because quite frankly, a lot of the /proc files should be "root or
> desktop user". If you control the hardware, you should damn well be
> able to see the interrupt counts in order to do bug reports etc
> without having to 'sudo' or similar.
> 
> I realize that pam & co could give us this info, or we could just add
> a new capability flag, but I think this is something where the kernel
> really could just do the RightThing(tm) automatically, and screw the
> crazy login managers, odd policies (I really don't believe that adding
> magic selinux rules actually improves security all that much, because
> it's too painful and too hard to know for any normal user).
> 
> The person in front of the hardware really *is* fundamentally special.
> 
> Right now all the distros do magic things with the audio device
> because they know the person in front of the machine is special. But
> all those things are ad-hoc per device, and never cover things like
> random /proc files etc.
> 

I was going to say "let's just have the login manager add a group to the
desktop user's permission set" but then I realized that this would be
really bad because of setgid files.

Which exposes a real problem with chgrp and setgid files overall.

The way setgid works effectively means that any user can become a member
of any group that they have at any time been a member of, simply by
"stashing" a copy of the group as a setgid file:

	cp /bin/sh my-saved-group
	chgrp mygroup my-saved-group
	chmod g+s my-saved-group

This is rather messy, because gids are otherwise a very nice capability
mechanism.

	-hpa

  reply	other threads:[~2011-11-07 21:35 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-07 17:45 [PATCH] proc: restrict access to /proc/interrupts Vasiliy Kulikov
2011-11-07 18:06 ` Valdis.Kletnieks
2011-11-07 19:01   ` Vasiliy Kulikov
2011-11-07 19:18     ` H. Peter Anvin
2011-11-07 19:29       ` [kernel-hardening] " Vasiliy Kulikov
2011-11-07 19:48         ` Eric Paris
2011-11-07 19:50           ` H. Peter Anvin
2011-11-07 20:11             ` Vasiliy Kulikov
2011-11-07 20:47               ` H. Peter Anvin
2011-11-07 21:23                 ` Linus Torvalds
2011-11-07 21:35                   ` H. Peter Anvin [this message]
2011-11-07 23:07                     ` Linus Torvalds
2011-11-07 23:21                       ` Alan Cox
2011-11-07 23:27                         ` Greg KH
2011-11-07 23:40                           ` Theodore Tso
2011-11-07 23:45                             ` Alan Cox
2011-11-07 23:45                             ` Greg KH
2011-11-08 20:07                               ` Ted Ts'o
2011-11-09 16:14                                 ` Greg KH
2011-11-08  9:11                           ` Vasiliy Kulikov
2011-11-08 13:23                             ` Alan Cox
2011-11-08 17:41                               ` Vasiliy Kulikov
2011-11-08 17:06                   ` John Stoffel
2011-11-07 19:54           ` Vasiliy Kulikov
2011-11-07 20:10       ` Valdis.Kletnieks
2011-11-07 20:19         ` Vasiliy Kulikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EB84F05.1000704@zytor.com \
    --to=hpa@zytor.com \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=eparis@parisplace.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=segoon@openwall.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox