Re: Upstream first policy
From: Eric Paris
Date: Mon Mar 08 2010 - 18:18:28 EST
On Mon, Mar 8, 2010 at 6:02 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes:
>
>> On Mon, 8 Mar 2010, Alan Cox wrote:
>>>
>>> Quite untrue. I've actually *used* path based security systems (DEC10
>>> ACLs) and for almost every case its brain-dead.
>>>
>>> Imagine a world where this happened
>>
>> Alan, stop right there.
>>
>> You're making the same silly and incorrect mistake that Al did.
>>
>> Namely thinking that you have to have just one or the other.
>>
>> When you say "your /etc/passwd example is a special case", you are
>> admitting that there are two different cases, but then after that, you
>> still don't see the whole point I'm trying to make.
>>
>> Let me try again:
>>
>> THERE ARE DIFFERENT CASES
>>
>> That's the point. Just admit that, and then let the calm of "Ooh, there
>> are different kinds of circumstances that may want different kinds of
>> rules" permeate you.
>>
>> My whole (and only) argument is against the "only one way is correct"
>> mentality.
>
>
> Reading through all of this it occurred to me there is a case where
> path names are fundamentally important shows up for me all of the
> time. If pathnames were not fundamentally important we could apply
> a patch like the one below and allow unprivileged users to unshare
> the mount namespace and mount filesystems wherever. There is nothing
> fundamental about those operations that require root privileges except
> that you are manipulating the pathnames of objects.
>
> Unfortunately if we did that suid executables would become impossible
> because they couldn't trust anything to start with.
You do realize that with content based security systems the pathnames
aren't important and you could implement your example patch? Sure a
user could mount something on /lib and put their own files there, but
since that user couldn't get them labelled correctly the suid app
would not be able to use them and would fail. Users would have new
and interesting way to break their computers! I thank you for your
vote for content based security systems instead of pathname systems
and look forward to your future contributions to either that body of
knowledge or the bridging of the gap between the two *smile*
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/