linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Paris <eparis@parisplace.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Alan Cox <alan@lxorguk.ukuu.org.uk>, Ingo Molnar <mingo@elte.hu>,
	James Morris <jmorris@namei.org>,
	linux-kernel@vger.kernel.org, Kyle McMartin <kyle@mcmartin.ca>,
	Alexander Viro <viro@ftp.linux.org.uk>
Subject: Re: Upstream first policy
Date: Mon, 8 Mar 2010 18:18:21 -0500	[thread overview]
Message-ID: <7e0fb38c1003081518o7cddd121wa9c363a4e8211115@mail.gmail.com> (raw)
In-Reply-To: <m1fx4apgch.fsf@fess.ebiederm.org>

On Mon, Mar 8, 2010 at 6:02 PM, Eric W. Biederman <ebiederm@xmission.com> wrote:
> Linus Torvalds <torvalds@linux-foundation.org> writes:
>
>> On Mon, 8 Mar 2010, Alan Cox wrote:
>>>
>>> Quite untrue. I've actually *used* path based security systems (DEC10
>>> ACLs) and for almost every case its brain-dead.
>>>
>>> Imagine a world where this happened
>>
>> Alan, stop right there.
>>
>> You're making the same silly and incorrect mistake that Al did.
>>
>> Namely thinking that you have to have just one or the other.
>>
>> When you say "your /etc/passwd example is a special case", you are
>> admitting that there are two different cases, but then after that,  you
>> still don't see the whole point I'm trying to make.
>>
>> Let me try again:
>>
>>   THERE ARE DIFFERENT CASES
>>
>> That's the point. Just admit that, and then let the calm of "Ooh, there
>> are different kinds of circumstances that may want different kinds of
>> rules" permeate you.
>>
>> My whole (and only) argument is against the "only one way is correct"
>> mentality.
>
>
> Reading through all of this it occurred to me there is a case where
> path names are fundamentally important shows up for me all of the
> time.  If pathnames were not fundamentally important we could apply
> a patch like the one below and allow unprivileged users to unshare
> the mount namespace and mount filesystems wherever.  There is nothing
> fundamental about those operations that require root privileges except
> that you are manipulating the pathnames of objects.
>
> Unfortunately if we did that suid executables would become impossible
> because they couldn't trust anything to start with.

You do realize that with content based security systems the pathnames
aren't important and you could implement your example patch?  Sure a
user could mount something on /lib and put their own files there, but
since that user couldn't get them labelled correctly the suid app
would not be able to use them and would fail.  Users would have new
and interesting way to break their computers!  I thank you for your
vote for content based security systems instead of pathname systems
and look forward to your future contributions to either that body of
knowledge or the bridging of the gap between the two *smile*

-Eric

  reply	other threads:[~2010-03-08 23:18 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-07 21:23 Upstream first policy James Morris
2010-03-07 21:31 ` Linus Torvalds
2010-03-07 21:36   ` Linus Torvalds
2010-03-08  9:46 ` Ingo Molnar
2010-03-08 17:30   ` Alan Cox
2010-03-08 18:08     ` Linus Torvalds
2010-03-08 18:45       ` Al Viro
2010-03-08 18:53         ` Al Viro
2010-03-08 18:59         ` Linus Torvalds
2010-03-08 19:15           ` Linus Torvalds
2010-03-08 19:17           ` Alan Cox
2010-03-08 19:32             ` Linus Torvalds
2010-03-09  0:48               ` Kyle McMartin
2010-03-08 21:20             ` Chris Adams
2010-03-08 19:18           ` Al Viro
2010-03-09  1:18           ` Luca Barbieri
2010-03-09  1:25             ` Al Viro
2010-03-09  1:51               ` Luca Barbieri
2010-03-09  1:55                 ` Al Viro
2010-03-09  2:09                   ` Luca Barbieri
2010-03-08 19:08       ` Alan Cox
2010-03-08 19:18         ` Linus Torvalds
2010-03-08 19:27           ` Alan Cox
2010-03-08 19:34             ` Linus Torvalds
2010-03-09  7:29               ` Ingo Molnar
2010-03-09  8:46                 ` Dave Airlie
2010-03-09 14:58                   ` Ulrich Drepper
2010-03-08 23:02           ` Eric W. Biederman
2010-03-08 23:18             ` Eric Paris [this message]
2010-03-09 15:16               ` Florian Mickler
2010-03-09 22:49             ` Alan Cox
2010-03-11  3:52               ` Eric W. Biederman
2010-03-08 22:12       ` Ulrich Drepper
2010-03-08 23:12         ` Eric Paris
2010-03-08 23:21           ` Linus Torvalds
2010-03-08 23:18       ` Rik van Riel
2010-03-08 23:37         ` Linus Torvalds
2010-03-08 23:51           ` Rik van Riel
2010-03-09  0:10             ` Linus Torvalds
2010-03-09  3:26               ` Casey Schaufler
2010-03-09  3:58                 ` Linus Torvalds
2010-03-09 13:09                   ` Samir Bellabes
2010-03-09  0:15           ` Al Viro
2010-03-09  0:48             ` Al Viro
2010-03-09  1:49               ` Linus Torvalds
2010-03-09  2:05                 ` Al Viro
2010-03-09  2:18                   ` Linus Torvalds
2010-03-23 13:59     ` Pavel Machek
     [not found] <elwcV-406-1@gated-at.bofh.it>
     [not found] ` <elHL4-42q-5@gated-at.bofh.it>
     [not found]   ` <elP5U-6Ku-29@gated-at.bofh.it>
     [not found]     ` <elPyV-7zE-7@gated-at.bofh.it>
     [not found]       ` <elQbE-8ll-7@gated-at.bofh.it>
     [not found]       ` <elQv0-vu-13@gated-at.bofh.it>
     [not found]         ` <elQEG-Hn-33@gated-at.bofh.it>
2010-03-08 19:40           ` James Kosin
  -- strict thread matches above, loose matches on Subject: below --
2010-03-04 18:39 [git pull] drm request 3 Jesse Barnes
2010-03-04 18:51 ` Linus Torvalds
2010-03-04 18:56   ` Jesse Barnes
2010-03-04 19:08     ` Linus Torvalds
2010-03-04 19:25       ` Dave Airlie
2010-03-04 20:01         ` Linus Torvalds
2010-03-04 22:06           ` Dave Airlie
2010-03-05  0:08             ` Linus Torvalds
2010-03-05  0:28               ` Ben Skeggs
2010-03-05  0:41                 ` Linus Torvalds
2010-03-05  1:19                   ` Upstream first policy Kyle McMartin
2010-03-05  1:28                     ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7e0fb38c1003081518o7cddd121wa9c363a4e8211115@mail.gmail.com \
    --to=eparis@parisplace.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=ebiederm@xmission.com \
    --cc=jmorris@namei.org \
    --cc=kyle@mcmartin.ca \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ftp.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).