Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 18 Oct 2002 08:59:52 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 18 Oct 2002 08:59:52 -0400 Received: from phoenix.mvhi.com ([195.224.96.167]:7436 "EHLO phoenix.infradead.org") by vger.kernel.org with ESMTP id ; Fri, 18 Oct 2002 08:59:51 -0400 Date: Fri, 18 Oct 2002 14:05:43 +0100 From: Christoph Hellwig To: Crispin Cowan Cc: Alexander Viro , Greg KH , torvalds@transmeta.com, linux-kernel@vger.kernel.org, linux-security-module@wirex.com Subject: Re: [PATCH] remove sys_security Message-ID: <20021018140543.C1670@infradead.org> Mail-Followup-To: Christoph Hellwig , Crispin Cowan , Alexander Viro , Greg KH , torvalds@transmeta.com, linux-kernel@vger.kernel.org, linux-security-module@wirex.com References: <3DAFCE1B.805@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3DAFCE1B.805@wirex.com>; from crispin@wirex.com on Fri, Oct 18, 2002 at 02:02:19AM -0700 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1463 Lines: 31 On Fri, Oct 18, 2002 at 02:02:19AM -0700, Crispin Cowan wrote: > * root may not follow non-root symlinks in certain circumstances > (prevent some temp file attacks) > * non-root may not create a hard-link to root-owned files in certain > circumstances (prevent some other temp file attacks) > * may not ptrace root processes (preventing further recurrance of > the bugs in ptrace over the last year or so) > > These policies help a lot to secure a system. But these policies also > break some things, so it is good that they be a loadable module, and not > a proposed Linux patch. All three are actually very good examples on how your "Security" modules work around problems instead of fixing thev actual cause. Instead of adding hacks for tempfile races you rather want to give each user a private namesapace and it's own /tmp (IMHO we should also get rid of symlinks entirely, but they're in too wide use nowdays unfortunately). And ptrace _really_ _really_ needs to be replaced by a sane debug interface, like the plan9 procfs-based debugging. But instead of attaking these causes security folks like wirex just implement fuzzy busword mechanisms that are selable to managers. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/