Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

[Pavel Machek]

Please fix your email settings.

On Tue 2010-01-12 18:30:56, David Wagner wrote:
> Serge E. Hallyn wrote:
> >Michael, I'm sorry, I should go back and search the thread for the
> >answer, but don't have time right now - do you really need
> >disablenetwork to be available to unprivileged users?
> 
> I don't know about Michael's specific case, but answering more
> broadly, Yes.  There are important use cases for disablenetwork for
> unprivileged users.  Basically, it facilitates privilege separation,
> which is hard to do today.  A privilege-separated software architecture
> is useful for a broad variety of programs that talk to the network --
> some/many of which are unprivileged.  For instance, the very original
> post on this topic referred to a proposal by Dan Bernstein, where Dan
> points out that (for instance) it would make be useful if we could start
> a separate process for decompression (or image file transformation),
> running that separate process with no privileges (including no network
> access) to reduce the impact of vulnerabilities in that code.  Think
> of, say, a browser that needs to convert a .jpg to a bitmap; that
> would be an example of an unprivileged program that could benefit
> from the disablenetwork feature, because it could spawn a separate
> process to do the image conversion.

That's still ok; but is there need for unpriviledged helper executing
setuid probgrams? I don't think so...
								Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/