Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning

From: david
Date: Sun Aug 17 2008 - 21:45:30 EST

Next message: Grant Coady: "[PATCH] ATA Kconfig cleanup: sort the driver list and modify some text"
Previous message: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
In reply to: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Next in thread: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 18 Aug 2008, Peter Dolding wrote:

On Mon, Aug 18, 2008 at 7:17 AM, David Collier-Brown <davecb@xxxxxxx> wrote:
Peter Dolding wrote:

Currently if we have a unknown infection on a windows partition that
is been shared by linux the scanner on Linux cannot see that the
windows permissions has been screwed with. OS with badly damaged
permissions is a sign of 1 of three things. ...

It's more likely that the files will reside on Linux/Unix under
Samba, and so the permissions that Samba implements will be the ones
that the virus is trying to mess up. These are implemented in
terms of the usual permission bits, plus extended attributes/ACLs.
Linux systems mounting Windows filesystems are somewhat unusual (;-))

More desktop use of Linux more cases of ntfs and fat mounted under
Linux. Funny enough linux mounting windows file systems is 100
percent normal for most Ubuntu users so there are a lot of them out
there doing it. I am future looking there are other filesystems
coming with there own issues as well.

but what you are missing is that when they are mounted under linux it doesn't matter what hidden things the other OS may access, all that matters is what Linux sees. If Linux doesn't see something it can't serve it out to those other OSs.

those 'hidden things' would only matter if you were trying to use linux to scan a drive and bless it for another system to then mount locally. If we aren't trying to defend against that (and I don't hear anyone other then you saying we should) then we don't need to worry about such things.

If we were trying to make the drive safe for all other OSs to mount directly, then mearly seeing everything isn't enough, you would have to be able to fully duplicate how the other OS interprets the things you are seeing, and know all vunerabilities that arise from all possible interpretations. I don't think that's possible (and I don't think it would be possible even if the source for all those other OSs were available)

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Grant Coady: "[PATCH] ATA Kconfig cleanup: sort the driver list and modify some text"
Previous message: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
In reply to: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Next in thread: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]