Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

From: Casey Schaufler
Date: Mon Jan 11 2010 - 23:01:24 EST

Next message: Mike Galbraith: "Re: tbench regression with 2.6.33-rc1"
Previous message: Frederic Weisbecker: "Re: [PATCH 25/26] kprobes: Convert to raw_spinlocks"
In reply to: Valdis . Kletnieks: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieks@xxxxxx wrote:
> On Sun, 10 Jan 2010 17:46:49 PST, Casey Schaufler said:
>
>> It's much worse than that. A user that has been network disabled
>> who tries using ls may find that it goes looking for the network
>> on each name lookup and has to wait for a timeout for each.
>>
>
> Ya know Casey - I learned back in 1986 or so that if you set up a SunOS 3.2
> cluster using Yellow Pages, professors who managed to unplug the AUI cable
> on the back of their Sun 3/50 would notice things blowing chunks. I have to
> admit that 24 years ago I told them "Well don't do that then", and I have
> to say the same thing for anybody running a login shell network-disabled.
>
> Now, a more subtle point is that a *program* may call getuserbyname() or
> getuserbyuid() and be surprised when it times out - but that's a
> different issue than a network-deprived user calling /bin/ls.
>

I was working at Sun when YP was introduced and was probably the
first person who had to explain what would happen if the network
got disconnected to "security experts". They weren't real happy
then, and shouldn't be happier now. If anything, today's computer
users are less well adapted to dealing with applications that
behave differently when the network is unexpectedly absent because
both the user and the programmer assume that the network will be
there because it always is. They would never set up a situation
where the network would be missing and the programs they use/write
are unlikely to handle the situation. Lazy kids.

>> Then, if there are local file entries that differ
>> from the "official" network account values when the library
>> functions finally fall back on the local values you get the wrong
>> names for file owners.
>>
>
> The sysadmin who set that up already had the bullet in the chamber and
> the gun pointed at their feet. This is another "we knew better a quarter
> century ago" issue - SunOS allowed '+:' at the end of /etc/passwd to merge
> in the YP database, and Sun actively discouraged the sort of "local userid
> overlaps the YP userid space" misconfiguration you mention.
>
>

Sysadmins are so busy fixing Sanborn-Oxley compliance issues (funded)
that they are perfectly happy to put loaded guns in their pants as far
as (unfunded) "real" security is concerned. Sure we knew better. We
knew how to do lots of things back then that the Linux community is
relearning today. Knowing better isn't going to help the current
generation, as wisdom (like you and I have) can only be passed along
by experience and exposure to the wise. I like secure systems myself,
but I certainly understand why so many people don't.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Galbraith: "Re: tbench regression with 2.6.33-rc1"
Previous message: Frederic Weisbecker: "Re: [PATCH 25/26] kprobes: Convert to raw_spinlocks"
In reply to: Valdis . Kletnieks: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]