I did notice a typing error in my original posting
below is how it should have read.
<Begin Corrected Quote>
In a perfect world that may be true, since however we live in an
imperfect world, and we all make mistakes, security will probably
continued to be compromised by drivers/daemons/etc.
When a problem is discovered they are fixed.
So yes in a perfect world a driver/daemon/etc should not compromise
^^^
missing word in original posting----------------------^
a system, however in the imperfect world we live in they do.
<End Corrected Quote>
Shawn Leas wrote:
>
> On Wed, 19 Aug 1998, Terry L Ridder wrote:
> > > Hm. OK. That's something that I could do with devfsd. However, it
> > > still seems to me that loading a driver should never compromise your
> > > system. If it does the driver is broken.
> >
> > In a perfect world that may be true, since however we live in an
> > imperfect
> > world, and we all make mistakes, security will probably continued to be
> > compromised by drivers/daemons/etc. When a problem is discovered they
> > are fixed. So yes in a perfect world a driver/daemon/etc should
> > compromise
> > a system, however in the imperfect world we live in they do.
>
> Don't blame DevFS for driver breakage, you are simply pointing fingers,
> and you are unable to make intelligent judgements in the fist place.
Since my comment had nothing to do at all with dev_fs, it is clear
that you are not referring to me. As to whom you are referring I have
no idea.
>
> > > Well, I cover the reasons in the FAQ. One other reason I should get
> > > around to adding: security. I expect many systems will not want to
> > > change device permissions (the drivers provide sensible defaults). In
> > > that case if some random hacker frobs the permissions on /dev/sda*
> > > then the next reboot gives you back the default (safe) permissions.
> >
> > This to me seems like a really bad idea.
> > Once a system has been compromised it would seem that you would
> > want to keep as much "evidence" as possible. Resetting the
> > permissions at the next reboot would be destroy some "evidence".
> > This may also be the only piece of "evidence" that is readily visible.
>
> The evidence is in how the f*cker got root in the first place. Simply
> putting /dev/sd? back the way it should be is not a bad idea. Again,
> evidence that you are incapable of rational thought.
My personal preference is that I like to retain as much visible evidence
as possible, taking into account operational requirements, so that the
security hole which allowed an unauthorised person to gain access to the
machine in the first place can be found and corrected. Putting /dev/sd?
permissions back to what the System Administrator wants/requires/needs
at the next reboot may destroy the only piece of evidence that the
machine's
security had in fact been breached.
>
> -Shawn
-- Terry L. Ridder Blue Danube Software (Blaue Donau Software) "We do not write software, we compose it."When the toast is burnt and all the milk has turned and Captain Crunch is waving farewell when the Big One finds you may this song remind you that they don't serve breakfast in hell ==Breakfast==Newsboys
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html