Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking

From: Willy Tarreau
Date: Mon Nov 29 2010 - 16:50:17 EST

Next message: Greg KH: "Re: [PATCH 1/2] TTY: ldisc, fix open flag handling"
Previous message: Greg KH: "Re: [PATCH v2 1/2] TTY: don't allow reopen when ldisc is changing"
In reply to: H. Peter Anvin: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking"
Next in thread: Alan Cox: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 29, 2010 at 11:05:58AM -0800, H. Peter Anvin wrote:
> Can we please not use CAP_SYS_ADMIN for this? Relying on CAP_SYS_ADMIN
> is worse than anything else -- it is a fixed policy hardcoded in the
> kernel, with no ability for the system owner to delegate the policy
> outward, e.g. by adding group read permission and/or chgrp the file.
>
> Delegating CAP_SYS_ADMIN, of course, otherwise known as "everything", is
> worse than anything...

Agreed, that's why I still think that hiding lots of valuable information to
non-root users will get more users added to unmanaged sudoers files, which
will result in much more holes in the systems than we currently have.

Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: [PATCH 1/2] TTY: ldisc, fix open flag handling"
Previous message: Greg KH: "Re: [PATCH v2 1/2] TTY: don't allow reopen when ldisc is changing"
In reply to: H. Peter Anvin: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking"
Next in thread: Alan Cox: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]