Re: RFC: disablenetwork facility. (v4)

From: Pavel Machek
Date: Mon Dec 28 2009 - 15:55:28 EST

Next message: Brian Swetland: "Re: tree with htc dream support"
Previous message: Mark Hounschell: "Re: [Fdutils] DMA cache consistency bug introduced in 2.6.28"
In reply to: Valdis . Kletnieks: "Re: RFC: disablenetwork facility. (v4)"
Next in thread: Valdis . Kletnieks: "Re: RFC: disablenetwork facility. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon 2009-12-28 09:37:24, Valdis.Kletnieks@xxxxxx wrote:
> On Mon, 28 Dec 2009 11:10:06 +0100, Pavel Machek said:
>
> > a) make disablenetwork reset to "enablenetwork" during setuid exec
>
> That won't work either. If you only make it 'setuid==0' binaries, you still
> break 'setuid-FOO' binaries that require the net. If you just check the setuid
> bit, it allows a trivial escape by creating a setuid-yourself binary and using
> that to exec something else (now with network access, because we apparently
> don't have a way to remember the previous setting).

it is really only required for binaries setuid to someone else, but
that would be too ugly. (Plus, as someone said, ping is great for
leaking data out.)

Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Brian Swetland: "Re: tree with htc dream support"
Previous message: Mark Hounschell: "Re: [Fdutils] DMA cache consistency bug introduced in 2.6.28"
In reply to: Valdis . Kletnieks: "Re: RFC: disablenetwork facility. (v4)"
Next in thread: Valdis . Kletnieks: "Re: RFC: disablenetwork facility. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]