On Thu, Feb 16, 2006 at 09:41:32AM -0800, Dave Hansen wrote:
> On Thu, 2006-02-16 at 15:30 +0100, Herbert Poetzl wrote:
> > > - Should a process have some sort of global (on the machine identifier)?
> >
> > this is mandatory, as it is required to kill any process
> > from the host (admin) context, without entering the pid
> > space (which would lead to all kind of security issues)
>
> Giving admin processes the ability to enter pid spaces seems like it
> solves an entire class of problems, right?.
really depends on the situation and the setup.
let me give a few examples here (I'll assume
fully blown guests not just pid spaces here)
- guest is running some kind of resource hog,
which already reached the given guest limits
any attempt to enter the guest will fail
because the limits do not permit that
- the guest has been suspended (unscheduled)
because of some fork bomb running inside
and you want to kill off only the bomb
entering the guest would immediately stop
your process, so no way to send signals
- there is a pid killer running inside the
guest, which kills every newly created
process as soon as it is discovered
entering the guest would kill your shell
> Could you explain a bit what kinds of security issues it introduces?
well, it introduces a bunch of issues, not all
directly security related, here some of them:
(I keep them general because most of them can
be worked around by additional checks and flags)
- ptrace from inside the context could hijack
your 'admin' task and use it for all kind
of evil stuff
- entering the guest *spaces might cause some
issues with dynamic libraries
- you process would show up in task lists and
guest security tracers, which might give a
false alarm when they get aware of your kill
task
- the entire guest accounting, regarding tasks
would get messed up by the 'outside' process
In general, I prefer to think of this as working
with nuclear material via an actuator from behind
a 4" lead wall -- you just do not want to go in
to fix things :)
best,
Herbert
> -- Dave
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]