Security Patches (was Re: [PATCH].. blah)

Alan Cox (alan@lxorguk.ukuu.org.uk)
Tue, 4 Aug 1998 23:03:40 +0100 (BST)


> Not really. You're attacking some known broken version of some specific
> program anyway ("ftpd" or whatever - you need a point of contact), which
> means that you're by no means limited to libc entrypoints.

Linus I don't doubt you could do it given a days work. I don't doubt the
L0pht guys can do it. But the average "install egg" person will have a very
bad time. I've tried exploiting stuff with this patch in place - its damned
difficult - but not impossible locally - trying to get a shell off a daemon
when you also have to shuffle file handles first defeated me.

> I chose libc mainly because it's the obvious choice, but your example
> makes it just all the more clear that the whole approach of the patch is
> not to fix real problems, but to fix specific attacks that really should
> have been fixed in the binary.

Nobody would argue with that, but the kernel is a tiny little spec in the
space of broken applications. Let alone the fact someone people really really
don't understand the issues.

Its taken three years to get the gcc tmp file races fixed. GNU still havent
fixed their bug reporting scripts (yes it has a tmp file race too). Then
there are programs like uwashington imapd which quite frankly it would be
easier to rewrite than audit and be happy about the quality of the results
and pine - anyone reading their email using pine, perhaps also with a version
of metamail more than 6 weeks old - feeling scared - you should be ;)

Against that kind of background anything that helps is good for end users -
maybe not the right "technical quality" to go in a main stream kernel. And
I think the right things are already going in the kernel - stuff thats
technically sound too like capabilities and posix acls - things like
credential passing.

In the mean time for an ISP it helps. I've got people I do contract stuff for
who have ended up burning their file system onto CD (yes ext2fs does
work off cd ;)). Running a machine with a web server burned weekly on CD
was the only way they felt happy enough. If someone is reguarly shooting at
me I'll take 90% cover over waiting for the invention of bulletproof systems 8)

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html