Re: [link@miggy.org: Re: [patch 2/8] personality: fixPER_CLEAR_ON_SETID (CVE-2009-1895)]

[Athanasius]

On Sat, Jul 18, 2009 at 06:38:05PM -0700, Julien TINNES wrote:
> A process should be able to change it's own personality, there is no
> issue with this as long as we restrict the set of personalities which
> are preserved when the process gets new privileges.

  And it's that "as long as we ..." that still bothers me.  I've *never*
had any need for any use of this personality feature and this net/tun.c
exploit has proven there can be security gotchas with it.  I'd prefer if
the whole thing were a kernel config option so I can easily turn it off
and have peace of mind that no future security bug discovered will
affect me.
  No, I'd rather not look into using something like SELinux to turn off
one syscall, as that's introducing a whole extra layer of complexity.
Indeed the same exploit can instead make use of SELinux being misconfigured
by some vendors.

  If the feature didn't already exist and was now proposed what are the
chances it would make it into the mainline kernel without having a
config option control it ?  I'm wondering what its chances would be of
being accepted at all given the tentacles it seems to throw in all
directions (search for any of the actual personality feature flags in
the kernel source).
  I'd also hazard that such ABI-compatibility with binaries from other
OSes is a feature the great majority of Linux users have never used and
now never will.

-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/