On 5/2/06, Matthew Wilcox <[email protected]> wrote:
On Tue, May 02, 2006 at 05:52:09PM -0400, Jon Smirl wrote: > Have you seen this method of getting root from X? > http://www.cansecwest.com/slides06/csw06-duflot.ppt > It is referenced from Theo de Raadt interview on kerneltrap > http://kerneltrap.org/node/6550 That's a great indication of why securelevels aren't. It pretty much fits the Linux model of "once you're root, you can do anything". The POSIX Capabilities really don't help either. I suppose SELinux might be able to help, but I don't care to get into that discussion here ;-)
And there is the root exploit found by Coverity this week too: http://news.yahoo.com/s/zd/20060502/tc_zd/177195 X is multiple megabytes of code needlessly running as root. If we could convince X to use device drivers to talk to the hardware it wouldn't need to run as root. This is part of why I am against this patch, it is another crutch to let X keep on running as root instead of fixing the underlying problem. -- Jon Smirl [email protected] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
- Follow-Ups:
- References:
- Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: Arjan van de Ven <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: Arjan van de Ven <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: "Jon Smirl" <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: Arjan van de Ven <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: "Jon Smirl" <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: Arjan van de Ven <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: "Jon Smirl" <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: "Dave Airlie" <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: "Jon Smirl" <[email protected]>
- Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- From: Matthew Wilcox <[email protected]>
- Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- Prev by Date: Re: [patch 00/14] remap_file_pages protection support
- Next by Date: Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- Previous by thread: Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- Next by thread: Re: Add a "enable" sysfs attribute to the pci devices to allow userspace (Xorg) to enable devices without doing foul direct access
- Index(es):
 |