Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

[Pavel Machek]

On Fri 2007-06-01 11:00:50, david@xxxxxxx wrote:
> On Fri, 1 Jun 2007, Valdis.Kletnieks@xxxxxx wrote:
> 
> >On Thu, 24 May 2007 14:47:27 -0000, Pavel Machek said:
> >>Yes, if there's significantly more remote bad guys than local bad
> >>guys, and if remote bad guys can't just get some local user first, AA
> >>still has some value.
> >
> >Experience over on the Windows side of the fence indicates that "remote bad
> >guys get some local user first" is a *MAJOR* part of the current real-world
> >threat model - the vast majority of successful attacks on end-user boxes 
> >these
> >days start off with either "Get user to (click on link|open attachment)" or
> >"Subvert the path to a website (either by hacking the real site or 
> >hijacking
> >the DNS) and deliver a drive-by fruiting when the user visits the page".
> 
> and if your local non-root user can create a hard link to /etc/shadow and 
> access it they own your box anyway (they can just set the root password to 
> anything they want). 

I think you need to look how unix security works:

pavel@amd:/tmp$ ln /etc/shadow .
pavel@amd:/tmp$ cat shadow
cat: shadow: Permission denied
pavel@amd:/tmp$

Yes, regular users are permitted to hardlink shadow, no, it is not a
security hole, yes, it is a problem for AA.
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/