Re: Some thoughts about stable kernel development

From: Valdis . Kletnieks
Date: Tue Nov 11 2003 - 03:20:20 EST

Next message: Ravikiran G Thirumalai: "Re: hot cache line due to note_interrupt()"
Previous message: Keith Owens: "Announce: kdb v4.3 is available for kernel 2.4.23-rc1"
In reply to: Ryan Anderson: "Re: Some thoughts about stable kernel development"
Next in thread: John Bradford: "Re: Some thoughts about stable kernel development"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 10 Nov 2003 08:50:44 GMT, John Bradford <john@xxxxxxxxxxxx> said:

> cause annoyance to third parties. Given that, I think a file in the
> root of the kernel tree, saying something like, "Don't use me on an
> internet connected machine unless you know what you're doing" would be
> worth considering.

OK.. I'll bite.. :)

What *additional* level of "know what you're doing" is called for, over and
above the usual "best practices" we wish all net-connected machines implemented?

Or phrased differently - yes, there's several local-user-gets-root attacks that
aren't patched. However, I'm sure that even a tightened down and fully-patched
system has several ways to do that without leveraging a kernel bug, so the
question becomes "balance the chances that the attacker has an exploit for the
kernel bug" against "chance attacker has exploit for set-UID program XYZ".

Or is the assumption that if you understand how "remote execution of
arbitrary code as local user" combines with "local user gets root" to
form the product "you're screwed", sufficient clue is available?

Attachment: pgp00001.pgp
Description: PGP signature

Next message: Ravikiran G Thirumalai: "Re: hot cache line due to note_interrupt()"
Previous message: Keith Owens: "Announce: kdb v4.3 is available for kernel 2.4.23-rc1"
In reply to: Ryan Anderson: "Re: Some thoughts about stable kernel development"
Next in thread: John Bradford: "Re: Some thoughts about stable kernel development"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]