Re: RFC: disablenetwork facility. (v4)

[Michael Stone]

Serge Hallyn writes:
> Michael Stone writes:
> > The first reason why I'm not too worried is that anyone in a position to use
> > disablenetwork for nefarious purposes is also probably able to use ptrace(),
> > kill(), and/or LD_PRELOAD to similar ends.
>
> How do you mean?  

I meant that, with the current interface, to set disablenetwork for pid P, you
have either be pid P or to have been one of P's ancestors. In either case, you
have lots of opportunity to mess with P's environment. 

> I thought that disabling network was a completely
> unprivileged operation?  And subsequently executing a setuid-root
> application won't reset the flag.

Correct and correct for the current patches.

> > The second reason why I'm not too worried is that I believe it to be
> > straightforward to use the pre-existing MAC frameworks to prevent individually
> > important processes from dropping networking privileges.
> >
> > Do you have a specific concern in mind not addressed by either of these
> > observations?
>
> Near as I can tell the worst one could do would be to prevent remote
> admins from getting useful audit messages, which could give you unlimited
> time to keep re-trying the server, on your quest to a brute-force attack
> of some sort, i.e. restarting the server with random passwords, and now
> no audit msg about the wrong password gets generated, so you're free to
> exhaust the space of valid passwords.
>
> Not saying I'm all that worried about it - just something that came to
> mind.

I'll think about it further. Fortunately, there's no need to be hasty. :)

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/