From mboxrd@z Thu Jan 1 00:00:00 1970 From: Casey Schaufler Subject: Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4) Date: Sun, 10 Jan 2010 17:50:24 -0800 Message-ID: <4B4A83E0.9000207@schaufler-ca.com> References: <20100110230839.GB3825@heat> <3e8340491001101541tc776ad9r887be13393bcb7fd@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Michael Stone , Kyle Moffett , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , "Eric W. Biederman" , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?ISO-8859-1?Q?Am=E9rico_Wang?= , Tetsuo Handa , Samir Bellabes , "Serge E. Hallyn" , Pavel Machek , A To: Bryan Donlan Return-path: Received: from smtp107.prem.mail.sp1.yahoo.com ([98.136.44.62]:36175 "HELO smtp107.prem.mail.sp1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752834Ab0AKBu0 (ORCPT ); Sun, 10 Jan 2010 20:50:26 -0500 In-Reply-To: <3e8340491001101541tc776ad9r887be13393bcb7fd@mail.gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: Bryan Donlan wrote: > On Sun, Jan 10, 2010 at 6:08 PM, Michael Stone wrote: > >> Paraphrasing Kyle: >> >> >>> Suppose there exist PAM modules which lazily fork background processes. >>> Now >>> assume that one of those PAM modules is hooked from /etc/pam.d/su, that >>> the >>> module fails closed when the network is unavailable, and that Mallory wins >>> the race to start the daemon. Boom. >>> >> I'm not disagreeing that there are configurations of programs, written for >> kernels without disablenetwork, which cease to be correct on kernels that >> provide it. However, all this says to me is that people who need to use >> those >> configurations probably shouldn't use disablenetwork. (Or that we haven't >> found >> exactly the right semantics for disablenetwork yet.) >> > > With the semantics given, the choice for using disablenetwork is given > to the unprivileged process, not to the administrator or privileged > process, so people using these configurations have no choice - the > malicious local user can just use it anyway. > > I still think requiring a drop of suid abilities would be best - if > the suid process wants to run in a no-network environment it can still > disablenetwork itself. > > Stop. If you can count on the program to use the mechanisms you've described correctly you can count on it to use exec, socket, and bind correctly. You're only trading one set of behaviors for another.