Date: Fri, 1 Jan 2010 14:46:29 +0000
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: daw-news@taverner.cs.berkeley.edu (David Wagner)
Cc: linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges
Message-ID: <20100101144629.54fe6cb6@lxorguk.ukuu.org.uk>
In-Reply-To: <hhioif$j9t$3@taverner.cs.berkeley.edu>
References: <m1iqbpwjtp.fsf@fess.ebiederm.org>
	<m2bphfti1u.fsf@ssh.synack.fr>
	<e7d8f83e0912310608j2c52acabxbd57d24e2b3073ca@mail.gmail.com>
	<20091231170641.6dd46c6e@lxorguk.ukuu.org.uk>
	<hhioif$j9t$3@taverner.cs.berkeley.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1022
Lines: 25

On Thu, 31 Dec 2009 17:55:27 +0000 (UTC)
daw@cs.berkeley.edu (David Wagner) wrote:

> Alan Cox  wrote:
> >Removing specific features from a specific piece of code
> >generally isn't a security feature -
> 
> You lost me there.  The ability of a specific piece of code to voluntarily
> relinquish privileges can be a big benefit to security. 

Can be - but its historically been an endless source of bugs and flaws
because the code being run after you take the rights away is being run in
an environment it didn't expect and wasn't tested in.

>From inanities like setting the file size limit to 0 and running passwd
blanking the password file (SGI Irix) to closing file handle 0 or setting
cpu quotas to make a forked daemon process die unexpectedly the list is
endless.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/