Re: Capabilities done right [diff against 2.3.1]

Theodore Y. Ts'o (tytso@MIT.EDU)
Mon, 17 May 1999 22:51:49 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jeff Hittman: "blk_ioctl in 2.3.3-ac2"
Previous message: Jiann-Ming Su: "2.2.9 UP compile problem"
Maybe in reply to: Pavel Machek: "Capabilities done right [diff against 2.3.1]"
Next in thread: Theodore Y. Ts'o: "Re: Capabilities done right [diff against 2.3.1]"

Date: Mon, 17 May 1999 09:53:41 -0700 (PDT)
From: Linus Torvalds <torvalds@transmeta.com>

And anything that requires me to compile anything as a MIS person is
basically not acceptable. Remember what =users= are? They are the kind of
people that want to use the system, and not care about the technical
issues. They are the kind of people who say "Ok, I want to make sure this
program doesn't do anything bad, how do I do that" on the newsgroup, and
sending them a patch to change the source code to the program is only
going to make them (justifiably) irritated.

I guess most of the MIS folks I've dealt with are either so paranoid
that they won't run anything new, and dropping a few privs probably
won't make them that much more comfortable with it, OR (the vast
majority of them) will run it with full privs, fat, dumb, and happy.

So the question is how many users would actually be able to deal with
the configuration bits. There have certainly been plenty of studies
showing that most *users* can't even deal with Unix permissions bits,
let alone a full set of capabilities.

That's why having the program drop the bits may be more secure in the
long run. Yes, I know this means that the programs have to be
recompiled --- but remember that most *users* are installing from
distributions using pre-compiled binaries, and a lot of the programs
we're trying to make more secure against stack overruns, etc., are
precompiled binaries installed from the distribution.

IMHO, it's like the difference between airplanes and cars. People worry
about airplane accidents more than they worry about car accidents, and
generally feel invulnerable w.r.t. car accidents, since they feel in
control with a car when they're behind the steering wheel. But on a
per-mile travelled basis, airplanes are far safer than cars.

Just having the explicit control doesn't necessarily mean you are safer.
Particularly where =users= are concerned. Sorry for being a cynic, but
I've spent a lot of time in the security biz....

- Ted

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Hittman: "blk_ioctl in 2.3.3-ac2"
Previous message: Jiann-Ming Su: "2.2.9 UP compile problem"
Maybe in reply to: Pavel Machek: "Capabilities done right [diff against 2.3.1]"
Next in thread: Theodore Y. Ts'o: "Re: Capabilities done right [diff against 2.3.1]"