Re: Upstream first policy
From: Linus Torvalds
Date: Mon Mar 08 2010 - 19:12:11 EST
On Mon, 8 Mar 2010, Rik van Riel wrote:
>
> > But that thing is _independent_ from the other totally unrelated issue,
> > namely the fact that "/etc/passwd" is a special name in the namespace. In
> > other words, there is "content security", but then there is also
> > "namespace security".
>
> ... what exactly does the namespace security protect against?
>
> What is the threat model that the namespace security protects
> against, which is not protected by the content based security?
Umm? Seriously?
What is _any_ security all about? You try to limit the opportunity for
damage, accidental or not.
So let's take a trivial example. Let's say that you are root, and you edit
/etc/shadow by hand. I've done it, you've probably done it, it's not
rocket science. Now, you do it using any random editor, and most likely
it's going to write the new file into a temp-file, and then rename that
temp-file over the old file (perhaps creating a backup of the old file
depending on editor and settings).
Now, think about what that implies for a moment. Especially consider the
case that there were ACL's ("inode-based security") on the old /etc/passwd
or /etc/shadow file that got moved away as a backup. What happened to
those ACL's when you edited the file using a random editor?
Now, do you see what the difference between pathname-based and inode-based
security is? Do you realize how if anybody wants to track accesses to
/etc/shadow, they are not going to be interested in the _old_ backup copy
of /etc/shadow?
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/