Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Thomas Bleher]

* Valdis.Kletnieks@xxxxxx [2006-04-23 11:35]:
> On Sat, 22 Apr 2006 20:50:15 PDT, Crispin Cowan said:
> >> What happens if I ln /bin/stty /tmp/evilstty, then exploit
> >> vulnerability in stty? 
> 
> A crucial point here is that the 'ln' and the actual exploit don't
> have to be firmly attached to each other...

Yes, it doesn't even have to be malicious. Consider the following
example:
An admin sets up an ftp-server with write access, running as root. He
chroots it and even creates AppArmor policy for it. However, he's a bit
sloppy and configures AppArmor so that the ftpd has write access to
everything in the chroot (even the stuff in bin/). The system is still
save, however, since the ftpd can't access anything outside of his
chroot.
Later, the admin decides to save space, deletes the bin/ directory and
instead links /bin/ls into the chroot. Suddenly the system is easily
exploitable.
I think that's what people mean when they say "impossible to analyze".
You have to look at the complete filesystem state to make sure you
didn't accidently compromise the whole system.

Thomas

Attachment: signature.asc
Description: Digital signature