From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: patch to make Linux capabilities into something useful (v 0.3.1)
Date: Thu, 7 Sep 2006 18:33:15 +0000 (UTC) [thread overview]
Message-ID: <edpolb$fea$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 20060907160055.17688.qmail@web36604.mail.mud.yahoo.com
Casey Schaufler wrote:
>That all depends on how important getting
>an evaluation complete is to you.
Getting an evaluation complete is of approximately zero importance to me.
I do want the system to be secure, but if the evaluators are ignorant of
basic security principles, then I don't much care what they may think.
Like I said, technical merit is a lot more important to me than pleasing
those who can't think clearly about security. Frankly, I don't give a
fig what such evaluators think.
If you think there is a good technical argument against this patch, then
I encourage you to state that argument for yourself, without reference
to what evaluators may or may not think. Appeals to authority do not
persuade me -- especially when the so-called "authority" doesn't appear
to know how to think clearly about security.
>And, they
>do have a point, which is why does it make
>sense to use the same privilege mechanism
>for you security policy as you do for your
>resource management policy.
I didn't think this patch had much of anything to do with resource
management. I thought this patch was about POSIX-like capabilities.
Resource management isn't relevant here. Can we talk about this patch,
instead of talking about why some other system of yours got hassled by
the evaluators?
>No, they were very clear that they felt that
>use of the privelege ought to be an indication
>that policy was being violated, and they were
>correct.
That's silly. There's no justification for that view. What does
"use of privilege" mean? *Every* process has some privilege or other.
I think what you mean is that "any process which has privilege above some
baseline should be an indication that policy was violated". But their
mistake was in getting confused over what the right baseline is, for the
purposes of that heuristic.
If the evaluators thought that a system where every application you
run automatically receives privilege to, e.g., delete all your files is
better than a system where only some applications receive privilege to
delete all your files -- then maybe they need to learn a little more
about the principle of least privilege.
next prev parent reply other threads:[~2006-09-07 18:33 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-05 21:26 patch to make Linux capabilities into something useful (v 0.3.1) David Madore
2006-09-06 0:27 ` Casey Schaufler
2006-09-06 10:06 ` David Madore
2006-09-06 13:26 ` David Madore
2006-09-07 0:11 ` Casey Schaufler
2006-09-07 0:32 ` David Madore
2006-09-07 1:01 ` Casey Schaufler
2006-09-07 1:29 ` David Wagner
2006-09-07 16:00 ` Casey Schaufler
2006-09-07 18:33 ` David Wagner [this message]
2006-09-07 17:34 ` David Madore
2006-09-07 19:38 ` Bernd Eckenfels
2006-09-07 23:00 ` Pavel Machek
2006-09-08 1:22 ` Bernd Eckenfels
2006-09-08 10:45 ` Pavel Machek
2006-09-08 16:08 ` Casey Schaufler
2006-09-08 14:39 ` Pavel Machek
2006-09-08 19:10 ` Bernd Eckenfels
2006-09-07 22:54 ` Pavel Machek
2006-09-08 4:10 ` David Madore
2006-09-08 10:52 ` Pavel Machek
2006-09-08 22:51 ` David Madore
2006-09-09 0:11 ` Casey Schaufler
2006-09-09 11:59 ` Pavel Machek
2006-09-09 11:40 ` Pavel Machek
2006-09-10 10:41 ` David Madore
2006-09-10 13:06 ` Pavel Machek
2006-09-10 14:25 ` capability inheritance (was: Re: patch to make Linux capabilities into something useful (v 0.3.1)) David Madore
2006-09-10 22:42 ` Pavel Machek
2006-09-11 16:00 ` Casey Schaufler
2006-09-11 17:39 ` David Madore
2006-09-09 0:59 ` patch to make Linux capabilities into something useful (v 0.3.1) David Wagner
2006-09-09 12:49 ` David Madore
2006-09-09 23:18 ` Theodore Tso
2006-09-10 10:13 ` David Madore
2006-09-10 12:36 ` Pavel Machek
2006-09-10 23:24 ` Theodore Tso
2006-09-11 8:09 ` Pavel Machek
2006-09-06 18:25 ` Serge E. Hallyn
2006-09-06 22:27 ` David Madore
2006-09-07 0:04 ` David Madore
2006-09-07 23:06 ` Serge E. Hallyn
2006-09-08 4:16 ` David Madore
2006-09-07 6:43 ` Jan Engelhardt
2006-09-07 23:02 ` Serge E. Hallyn
2006-09-08 1:08 ` David Madore
2006-09-08 1:31 ` Serge E. Hallyn
2006-09-08 21:45 ` David Madore
2006-09-07 18:21 ` James Antill
2006-09-07 18:33 ` Kyle Moffett
2006-09-07 20:05 ` James Antill
2006-09-08 4:00 ` David Madore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='edpolb$fea$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox