Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 18 Apr 2006 13:13:03 PDT, Crispin Cowan said:
> This gives the system administrator the ability to force applications to
> "drop" privs even when the application developer didn't bother, or (as
> was the case in a Sendmail vulnerability several years ago) the
> application *tried* to drop privs and got it wrong, so was running as
> full root anyway.

Interestingly enough, the Sendmail bug was a case where it was forced to "drop"
some privs, and then it didn't have enough privs to drop the rest of the privs.

In other words, it's quite possible to accidentally introduce a vulnerability
that wasn't exploitable before, by artificially restricting the privs in a way
the designer didn't expect.  So this is really just handing the sysadmin
a loaded gun and waiting.

(Incidentally, both SELinux and presumably AppArmor have the same problem - it
is really hard to convince yourself that you've identified *all* the access that
a given program needs.  People keep finding ways to excersize previously untested
code paths and error handlers, resulting in a game of whack-a-mole as the program
fails due to a lack of permissions.  This is especially fun to debug when the
program is already in an error handler... ;)

Attachment: pgpidVYOkObOl.pgp
Description: PGP signature

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux