Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

[Michael Stone]

Pavel Machek wrote:

> You can trivialy make disablenetwork disable setuid exec, too. That
> will introduce better isolation facilities, but not introduce any new
> security problems.
>
> For some reason, you don't want to do the obviously right thing.

I don't want to do it because it's not "obviously right" to me: I *have* setuid
programs that I want to be able to raise privileges when network-disabled.
I *don't have* any setuid programs that will be harmed by disablenetwork.

Examples of software that I want to be able to gain privileges normally include:

  rainbow, which requires privilege in order to add new accounts to the system
  and in order to call setuid() but which does not require networking
  privileges.

  qmail-queue, which uses setuid to deliver mail that it reads from fd 0 to
  local users

  and other old favorites like mount, fusermount, X, and, presumably, any audio
  software that wants to go realtime.

Kind regards,

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/