On Sun, 25 Jun 2000, David Ford wrote:
> Gregory Maxwell wrote:
>
> > I don't understand what the purpose of having a user_immutable. Immutable
> > was put in as some kind of fix for morons who can't comprehend the -f flag
> > and it's consiquences. It's there as part of a system lockdown function.
>
> Not all morons are created equal. Some can spell. Your argument immediately loses
> it's value when you lower yourself. If you worked in a security profession, you
> would understand the value of layered access.
I agree that my spelling is not always up to par and I seldom care or
remember to run a spell check on my postings. However, that issue has no
bearing on the current discussion. The fact that some may see that as an
indicator of my level of knowledge is even more immaterial considering
that you clearly demonstrate that you have absolutely *NO* understanding
of the current Linux-kernel security model.
> Sorry, I use it extensively for myself and clients. It is a very valuable security
> option.
Netbios is widely used on Windows networks. It has several advantages, the
most obvious being ease of configuration. However, that has no bearing on
the technical 'goodness' of the protocol. Netbios is a steaming piece of
crap technology wise, it over-uses broadcasts and gets almost everything
wrong. I am not aware of anyone who from a technical perspective would
look at Netbios and say "Now, that is a good solution".
Similarly, strange file attributes can be useful and there are people
who want them. That fact alone can not make them a good solution.
"Add features until it breaks" is *not* the Unix philosophy. It's much
more intelligent to design a solution framework which encompasses all of the
common cases while not completely excluding the uncommon ones. Good
technology has architecture.
> As I brought up in an earlier email, virtual sites have a -user- managing them, they
> don't have root priviledges and won't get them. They should however have the
> resources at hand to prevent their users' scripts or whatnot underneath them from
> harming their data.
Chmod o-w file. If thats not enough then the scripts are broken. If you
implement widespread user-immutable then the same scripts that are
ignoring the w bit will learn to ignore user-immutable.. Then
what? User-immutable-immutable?
> Linux supports root or !root users. Linux doesn't have varying
> levels of access. Group permissions again is not sufficient for varying levels of
> access.
This is completely untrue and demonstrates beyond any doubt why you have
no business taking part in this discussion.
> The only difference between Linux and Win9x is Linux has uid 0 and non uid 0. Win9x
> doesn't have that distinction. A two layer access plan simply isn't sufficient for
> everything. Incorporating immutable and user-immutable capabilities with a
> 'securelevel' capability is VERY desirable. If you don't want it, you don't have to
> use it, but as evidenced here, people do want it.
I agree, a two layer plan is not sufficient. That why no Unix has ever had
just two levels. Users cant disturb other users files, etc.. This model is
even insufficient due to the coarseness of 'root' power. Thats what in 2.2
the Linux kernel has virtually no concept of root.
It's obvious that you have no idea what you are talking about, and that
you've made no effort to research the topic.
I don't understand why people who don't have any comprehension of the
existing kernel facilities think they can waltz on in and tell everyone
what features must be added without performing any research.
FACT: The Linux kernel DOES NOT USE a "TWO LAYER" (root & !root) security
model.
Linux uses a capability system. All 'root' level privileges
are divided into a capability set. There are currently 26 capability
bits assigned, thus dividing root power into 67,108,863 possible
access levels.
FACT: The Linux kernel does not need a secure-level. It used to have it,
it was stupid. It's functionality has been completely superseded by
capabilities (as long as you apply a patch for raw device access).
FACT: The whole notion of UID 0's special powers is mostly(*) a
backwards-compatibility feature under Linux.
FACT: It's possible *TODAY* to build a Linux system with no root. (it
requires some hacking for backwards compatibility, and a daemon to manage
powers because they aren't in the FS).
I haven't seen any example uses of user-immutable that wouldn't
eventually lead to the need for user-immutable-immutable. Your best
argument so far has been against my spelling and frankly, I don't know why
I'm wasting my time on some newbie who doesn't even know what's already in
place.
(*) There still is an issue of storing capabilities in the FS for a
capability version of SUID.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jun 26 2000 - 21:00:07 EST