Re: security and the kernel (was Re: are limits bogus?)

From: Kevin Xie (xhg@gem.ncic.ac.cn)
Date: Wed Jan 19 2000 - 08:15:35 EST


hi,

take a look at the LIDS project..

It is a linux kernel patch to enhance the linux kernel security.

http://www.soaring-bird.com.cn/oss_proj/lids/
http://lids.webmotion.net/

kutek@cybercomm.net wrote:

> On Tue, Jan 18, 2000 at 02:42:12AM +0100, Dominik Kubla wrote:
> > > the question is: why is this done at the app level, rather than enforced
> > > by the kernel?
> >
> > They are. But since sshd is started with root-privileges (and root usually
> > has no resource limits) this is almost certainly a bug in sshd not setting
> > the appropriate resource levels for the user. Note that you can set some
>
> i disagree emphatically. the *kernel* should disallow passing of the root
> environment to any other user, under *all* circumstances.
>
> it's about time you guys acknowledged that app programmers cannot be
> trusted to do the right thing, and that security needs to be enforced at
> the kernel level, as far as is possible. I don't believe this will add
> great complexity to the kernel.
>
> in fact, /etc/initscript can be used to accomplish adequate limit control,
> but there is no way to specify individual users with it....it affects
> all processes.
>
> to say that the kernel is "enforcing" limits, when the *app* must initiate
> the setrlimit call is totally bogus.
>
> fractoid
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/

--
Happy Hacking

Linux Intrusion Detection System http://www.soaring-bird.com.cn/oss_proj/lids/

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:20 EST