Re: Upstream first policy

[Linus Torvalds]

On Mon, 8 Mar 2010, Rik van Riel wrote:
> 
> > But that thing is _independent_ from the other totally unrelated issue,
> > namely the fact that "/etc/passwd" is a special name in the namespace. In
> > other words, there is "content security", but then there is also
> > "namespace security".
> 
> ... what exactly does the namespace security protect against?
> 
> What is the threat model that the namespace security protects
> against, which is not protected by the content based security?

Umm? Seriously? 

What is _any_ security all about? You try to limit the opportunity for 
damage, accidental or not.

So let's take a trivial example. Let's say that you are root, and you edit 
/etc/shadow by hand. I've done it, you've probably done it, it's not 
rocket science. Now, you do it using any random editor, and most likely 
it's going to write the new file into a temp-file, and then rename that 
temp-file over the old file (perhaps creating a backup of the old file 
depending on editor and settings).

Now, think about what that implies for a moment. Especially consider the 
case that there were ACL's ("inode-based security") on the old /etc/passwd 
or /etc/shadow file that got moved away as a backup. What happened to 
those ACL's when you edited the file using a random editor?

Now, do you see what the difference between pathname-based and inode-based 
security is? Do you realize how if anybody wants to track accesses to 
/etc/shadow, they are not going to be interested in the _old_ backup copy 
of /etc/shadow?

				Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/