On Fri, 21 Jul 2000, Byron Stanoszek wrote:
> Blocking the commands in ioctl() is only half of the solution. For full
> security, one must also block iopl(0) from working, and for every [valid]
> application out there that needs to use iopl() to communicate with the
> device, there must exist a kernel ioctl() or some other syscall that allows
> the application to continue working after iopl() was disabled.
This, of course, isn't complete. If a user has root then that user
can destroy the hardware. If by no other way than by overwriting the boot
sector information and rebooting. Unless you want to break lilo and not
allow root to reboot the machine you're pretty much screwed. It is immoral
to try and claim this is a full solution and that it will protect the
hardware.
There are few ways to properly fix them, and all of them involve
the hardware. A jumper can be required, perhaps set to allow writing
initially so the idiots don't complain but the rest of us can move them to
disabled. Another solution is to require some sort of authentication in
order to overwrite the flash. This shouldn't actually be very hard, but
you still have to convince the disk makers to do this.
> The bottom line is, there is no sense in putting protective measures on
> ioctl() unless ioctl() is the ONLY way to get at a device. Until iopl() and
> any other possible access points are also secured, the hole is left wide open.
The point is that if the abuser has root there is no possible way to
secure all other access points w/o disabling the system to the point where it
is no longer useful.
> I want to be able to say I can rely on Linux to be an extremely stable and
> secure operating system, one that would be able to keep my hardware investment
> intact and unreachable from anyone who breaks into my system as Root. I don't
> know anyone who disagrees.
How about someone who might wish to actually *upgrade* the bios on the
disk? As it is now you'd have to reboot into DOS to do that. On a Sparc that
might be a little tricky. I realize that more work would have to be done and
that manufactures would actually have to *talk* instead of trying to play their
security-through-obscurity games but it's something that has the potentional
to be done.
Besides, as I mentioned above, if you've got root, none of this is
going to stop the abuser.
Stephen
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:19 EST