From: "Theodore Ts'o" <tytso@mit.edu>
To: Andy Lutomirski <luto@amacapital.net>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Kees Cook <keescook@chromium.org>,
Christoph Lameter <cl@linux.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Andrew Morton <akpm@linux-foundation.org>,
Richard Weinberger <richard.weinberger@gmail.com>,
Austin S Hemmelgarn <ahferroin7@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities
Date: Tue, 10 Nov 2015 07:40:43 -0500 [thread overview]
Message-ID: <20151110124043.GC3717@thunk.org> (raw)
In-Reply-To: <20151110115526.GA2958@ikki.ethgen.ch>
On Tue, Nov 10, 2015 at 12:55:27PM +0100, Klaus Ethgen wrote:
> > You can tell other people that they write privileged programs in the
> > wrong programming language if you like.
>
> Hey, it is not about programming languages. I never said something in
> that direction!
>
> I brought python programs for a bad example in programming and how
> developers work. But that example can be made in any language. Moreover,
> as python is a script language, I would not like it at all, having any
> raised capabilities. And that is also valid for perl that I like much
> more.
And that's the fundamenal problem. Saying that you can only be secure
if **no** scripting languages can be used for **any** privileged
operations is something that _might_ work for you, but it doesn't work
for the 99.99999999999% of the Linux systems out there, many of which
have shell scripts to configure networking, or any host of other
things. Arguably, it's why Posix capalities have utterly failed as
far as usage except for a very, very, very, tiny, limited market.
Scripting languages are just too fundamental to Unix and Linux
systems. And I while I won't speak for Linus here, I suspect this is
one of the places where he'll tell you that this is a prime example of
why many security people are crazy (or in his colorful language,
M***** Monkeys).
You can, after all, simply make any computer 100% secure by the
applied use of thermite --- but the computer won't be very useful
afterwards.
If you want to create a patch, my recommendation would be to do one
that turns off ambient capabilities as a CONFIG option, and hide it
under CONFIG_EXPERT. Or maybe adding a new securebit which disables
ambient capabilities. Whether or not that will be acceptable
upstream, I don't know, mainly because I think a strong case can be
made that such a patch has an audience of one, and adding more
complexity here for an idea which has been time-tested over decades to
be a failure is just not a good idea.
C2 by 92!
- Ted
P.S. What's C2 by 92? The only government mandate that was less
successful than GOSIP. :-) See
https://freedom-to-tinker.com/blog/felten/stupidest-infotech-policy-contest/#comment-15049
for more details.
next prev parent reply other threads:[~2015-11-10 12:40 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-02 18:06 Kernel 4.3 breaks security in systems using capabilities Klaus Ethgen
2015-11-02 18:38 ` Richard Weinberger
2015-11-02 18:50 ` Andy Lutomirski
2015-11-02 19:16 ` [KERNEL] " Klaus Ethgen
2015-11-02 19:45 ` Andy Lutomirski
2015-11-05 10:19 ` [KERNEL] " Klaus Ethgen
2015-11-05 16:15 ` Serge E. Hallyn
2015-11-05 17:17 ` [KERNEL] " Klaus Ethgen
2015-11-05 17:34 ` Serge E. Hallyn
2015-11-05 17:48 ` [KERNEL] " Klaus Ethgen
2015-11-05 19:01 ` Andy Lutomirski
2015-11-05 22:08 ` Serge E. Hallyn
2015-11-06 13:58 ` [KERNEL] " Klaus Ethgen
2015-11-06 15:53 ` Theodore Ts'o
2015-11-06 17:15 ` Andy Lutomirski
2015-11-06 17:51 ` Casey Schaufler
2015-11-06 18:05 ` Serge E. Hallyn
2015-11-06 17:56 ` [KERNEL] " Klaus Ethgen
2015-11-06 18:18 ` Serge E. Hallyn
2015-11-07 11:02 ` [KERNEL] " Klaus Ethgen
2015-11-08 17:05 ` Serge E. Hallyn
2015-11-09 16:28 ` Austin S Hemmelgarn
2015-11-09 17:23 ` [KERNEL] " Klaus Ethgen
2015-11-09 19:02 ` Austin S Hemmelgarn
2015-11-09 21:29 ` [KERNEL] " Klaus Ethgen
2015-11-10 0:06 ` Andy Lutomirski
2015-11-10 11:55 ` [KERNEL] " Klaus Ethgen
2015-11-10 12:40 ` Theodore Ts'o [this message]
2015-11-10 13:19 ` [KERNEL] [PATCH] " Klaus Ethgen
2015-11-10 13:35 ` Austin S Hemmelgarn
2015-11-10 17:58 ` [KERNEL] " Klaus Ethgen
2015-11-10 20:39 ` Austin S Hemmelgarn
2015-11-10 13:41 ` Klaus Ethgen
2015-11-11 2:04 ` Theodore Ts'o
2015-11-11 10:14 ` [KERNEL] " Klaus Ethgen
2015-11-11 10:54 ` Theodore Ts'o
2015-11-11 11:13 ` [KERNEL] " Klaus Ethgen
2015-11-10 15:25 ` [KERNEL] Re: [KERNEL] Re: [KERNEL] " Christoph Lameter
2015-11-05 16:19 ` Andy Lutomirski
2015-11-05 17:22 ` [KERNEL] " Klaus Ethgen
2015-11-02 18:52 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151110124043.GC3717@thunk.org \
--to=tytso@mit.edu \
--cc=ahferroin7@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=richard.weinberger@gmail.com \
--cc=serge.hallyn@ubuntu.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).