Subject: Re: The reason for securelevel (was: sysctl knob to let sugid processes dump core (pr 15994))
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-kern
Date: 01/26/2006 14:05:46
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Steven" == Steven M Bellovin <smb@cs.columbia.edu> writes:
Steven> In principle, this is a fine idea. In practice, figuring
Steven> out the right set of bits is non-trivial. It's not a direct
Steven> analogy, but SGI has 48 different privileges that a process
Steven> can have.
You missed the point of the discussion.
(VMS had the same problem)
It is precisely this point which argues for securelevel being a macro.
Yes, we can argue about which bit is which.
However, the very gross-level of securelevel often causes people to
run without an appropriate securelevel due to a single item. Of course
you can shoot yourself in the foot this way (leaving a hole in the
fence) --- but the alternative is often to have no fence.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBQ9kdiYCLcPvd0N1lAQL0cQf/VtqtAHd+5D0mBnJqYKieQHGgmZm2YL0h
fw03FGn351I1oZCyq/Cm9WKiy/YsvOJn1Ih1082vAkhWjyMr82pWpuEdRzJKwpsB
e1YP03dKCNYsrqOcAMMHwPhce4T7SuoIB579gwkSCQn87sA5N73va+mQWov76ezh
Jh14RQZFardz21/1dmBYQR+9QlXqMjqgzdDW38bX7tZb4KdXAQd+0GkrE6pNQekT
J2muJbvZMStZ24aBKDCvE2+0LLe2s3/v1KzgEmktJ1oCMPg7tVOtT5DlMpUI0V07
W/CrNzRL8c+j0gTREtncR5GkvsDe838fh9gg9qmpiO/1nSZQ4POezw==
=9rfj
-----END PGP SIGNATURE-----