Re: thoughts on kernel security issues

[Linus Torvalds]

On Thu, 13 Jan 2005, Alan Cox wrote:
>
> On Iau, 2005-01-13 at 16:38, Linus Torvalds wrote:
> > It wouldn't be a global flag. It's a per-process flag. For example, many 
> > people _do_ need to execute binaries in their home directory. I do it all 
> > the time. I know what a compiler is.
> 
> noexec has never been worth anything because of scripts. Kernel won't
> load that binary, I can write a script to do it.

Scripts can only do what the interpreter does. And it's often a lot harder
to get the interpreter to do certain things. For example, you simply
_cannot_ get any thread race conditions with most scripts out there, nor 
can you generally use magic mmap patterns.

Am I claiming that disallowing self-written ELF binaries gets rid of all 
security holes? Obviously not. I'm claiming that there are things that 
people can do that make it harder, and that _real_ security is not about 
trusting one subsystem, but in making it hard enough in many independent 
ways that it's just too effort-intensive to attack.

It's the same thing with passwords. Clearly any password protected system
can be broken into: you just have to guess the password. It then becomes a
matter of how hard it is to "guess" - at some point you say a password is
secure not because it is a password, but because it's too _expensive_ to
guess/break.

So all security issues are about balancing cost vs gain. I'm convinced
that the gain from openness is higher than the cost. Others will disagree.  

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/