Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261202AbVAMIJl (ORCPT ); Thu, 13 Jan 2005 03:09:41 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261201AbVAMIJl (ORCPT ); Thu, 13 Jan 2005 03:09:41 -0500 Received: from [209.195.52.120] ([209.195.52.120]:60818 "HELO warden2.diginsite.com") by vger.kernel.org with SMTP id S261202AbVAMIJB (ORCPT ); Thu, 13 Jan 2005 03:09:01 -0500 From: David Lang To: Willy Tarreau Cc: Matt Mackall , Linus Torvalds , Dave Jones , Andrew Morton , marcelo.tosatti@cyclades.com, Greg KH , chrisw@osdl.org, Alan Cox , Kernel Mailing List Date: Thu, 13 Jan 2005 00:02:01 -0800 (PST) X-X-Sender: dlang@dlang.diginsite.com Subject: Re: thoughts on kernel security issues In-Reply-To: <20050113074234.GJ7048@alpha.home.local> Message-ID: References: <20050112185133.GA10687@kroah.com> <20050112161227.GF32024@logos.cnet> <20050112205350.GM24518@redhat.com> <20050112182838.2aa7eec2.akpm@osdl.org> <20050113033542.GC1212@redhat.com> <20050113072851.GN2995@waste.org> <20050113074234.GJ7048@alpha.home.local> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1855 Lines: 43 On Thu, 13 Jan 2005, Willy Tarreau wrote: > On Wed, Jan 12, 2005 at 11:28:51PM -0800, Matt Mackall wrote: >> On Wed, Jan 12, 2005 at 08:48:57PM -0800, Linus Torvalds wrote: >>> >>> >>> On Wed, 12 Jan 2005, Dave Jones wrote: >>>> >>>> For us thankfully, exec-shield has trapped quite a few remotely >>>> exploitable holes, preventing the above. >>> >>> One thing worth considering, but may be abit _too_ draconian, is a >>> capability that says "can execute ELF binaries that you can write to". >>> >>> Without that capability set, you can only execute binaries that you cannot >>> write to, and that you cannot _get_ write permission to (ie you can't be >>> the owner of them either - possibly only binaries where the owner is >>> root). >> >> We can do that now with a combination of read-only and no-exec mounts. > > That's why some hardened distros ship with everything R/O (except var) and > /var non-exec. this only works if you have no reason to mix the non-exec and R/O stuff in the same directory (there is some software that has paths for stuff hard coded that will not work without them being togeather) also it gives you no ability to maintain the protection for normal users at the same time that an admin updates the system. Linus's proposal would let you five this cap to the normal users, but still let the admin manage the box normally. David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/