In <Pine.LNX.4.10.10007212130070.4130-100000@dax.joh.cam.ac.uk> James Sutherland (jas88@cam.ac.uk) wrote:
> On Fri, 21 Jul 2000, Dan Hollis wrote:
>> On Fri, 21 Jul 2000, James Sutherland wrote:
>> > On Thu, 20 Jul 2000, Dan Hollis wrote:
>> > > Ok, you prevent program from sending DISKTOBRICK IOCTL as root...
>> > > So disk2brick.c will just bypass the kernel API and bit-bang on the IDE
>> > > controller directly...
>> > If a usermode app can hit the hardware directly like that, there's
>> > something VERY broken...
>>
>> James, you can erase BIOS flash from linux userland,
> Urgh. That should be fixed at some point too, then.
Yes. What's MORE amusing that it WAS fixed. For years I had this small jumper
on my MB to disable writes to flash BIOS.
> Everything userland does with hardware should go via the kernel, and it
> should be possible for the kernel to block/restrict that access.
Great idea. Perhaps 10 years later we'll have such system. For now we have
no choices: some work with video cards NEED access to hardware (acceleration;
and you DO NOT want acceleration to go via the kernel, really).
>> you could probably even physically destroy it too. I can think of
>> great ways of physically destroying one's CPU and maybe even
>> motherboard too, from userland.
>>
>> This is nothing new.
>>
>> Is the kernel broken because you can bit-bang the hardware as root?
> Yes. See later.
>> Think about it.
> Think about this: there are situations where root *MUST* be subject to
> various restrictions (via capabilities, immutable files, etc). If root is
> able to talk directly to the hardware, these restrictions become
> unenforcable - security just went out of the window. This is unacceptable:
> Linux must not do it. (Or rather, it must be possible to prevent Linux
> doing it.)
It IS possible. Remove CAP_SYS_ADMIN and CAP_SYS_RAW capabilities from
system. Yes, perhaps patch to require CAP_SYS_RAW for RAW ide commands
can go in. It's quite different thing then proposed papering over hole.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:18 EST