Re: (pspace,pid) vs true pid virtualization

On Thu, Feb 16, 2006 at 09:41:32AM -0800, Dave Hansen wrote:
> On Thu, 2006-02-16 at 15:30 +0100, Herbert Poetzl wrote:
> > > - Should a process have some sort of global (on the machine identifier)?
> > 
> > this is mandatory, as it is required to kill any process
> > from the host (admin) context, without entering the pid
> > space (which would lead to all kind of security issues) 
> 
> Giving admin processes the ability to enter pid spaces seems like it
> solves an entire class of problems, right?. 

really depends on the situation and the setup.
let me give a few examples here (I'll assume
fully blown guests not just pid spaces here)

 - guest is running some kind of resource hog, 
   which already reached the given guest limits

   any attempt to enter the guest will fail
   because the limits do not permit that

 - the guest has been suspended (unscheduled)
   because of some fork bomb running inside
   and you want to kill off only the bomb

   entering the guest would immediately stop
   your process, so no way to send signals

 - there is a pid killer running inside the
   guest, which kills every newly created
   process as soon as it is discovered

   entering the guest would kill your shell

> Could you explain a bit what kinds of security issues it introduces?

well, it introduces a bunch of issues, not all
directly security related, here some of them:
(I keep them general because most of them can
be worked around by additional checks and flags)

 - ptrace from inside the context could hijack
   your 'admin' task and use it for all kind
   of evil stuff

 - entering the guest *spaces might cause some
   issues with dynamic libraries

 - you process would show up in task lists and
   guest security tracers, which might give a
   false alarm when they get aware of your kill
   task

 - the entire guest accounting, regarding tasks
   would get messed up by the 'outside' process

In general, I prefer to think of this as working 
with nuclear material via an actuator from behind 
a 4" lead wall -- you just do not want to go in 
to fix things :)

best,
Herbert

> -- Dave
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: (pspace,pid) vs true pid virtualization
    • From: Dave Hansen <[email protected]>

• References:
  • (pspace,pid) vs true pid virtualization
    • From: "Serge E. Hallyn" <[email protected]>
  • Re: (pspace,pid) vs true pid virtualization
    • From: [email protected] (Eric W. Biederman)
  • Re: (pspace,pid) vs true pid virtualization
    • From: Herbert Poetzl <[email protected]>
  • Re: (pspace,pid) vs true pid virtualization
    • From: Dave Hansen <[email protected]>

• Prev by Date: Re: Linux 2.6.16-rc3
• Next by Date: Re: [PATCH] FUTEX: one more return .
• Previous by thread: Re: (pspace,pid) vs true pid virtualization
• Next by thread: Re: (pspace,pid) vs true pid virtualization
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]