Re: What's left over.

Stephen Frost (sfrost@snowman.net)
Thu, 31 Oct 2002 12:11:15 -0500


--yoeRfslQKq6hDqSj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Alexander Viro (viro@math.psu.edu) wrote:
> On Thu, 31 Oct 2002, Stephen Wille Padnos wrote:
> > Unless I'm missing something, that only works if all the users need=20
> > *exactly* the same permissions to all files, which isn't a good assumpt=
ion.
>=20
> That's the point. In practice shared writable access to a directory can =
be
> easily elevated to full control of each others' accounts, since most of
> userland code is written in implicit assumption that nothing bad happens =
with
> directory structure under it. And there is nothing kernel can do about t=
hat -
> attacker does action you had explicitly allowed and your program goes bon=
kers
> since it can't cope with that. Mechanism used to allow that action doesn=
't
> enter the picture - be it ACLs, groups or something else.

So you're not really arguing against ACLs, you're complaining that
userspace is broken when there's shared write access. That's fine,
userspace should be fixed, inclusion of ACLs into the kernel shouldn't
be denied because of this. ACLs should be optional, of course, and if
you want them some really noisy warnings about the problems of shared
writeable area with current userspace tools. Of course, that same
warning should probably be included in 'groupadd'.

Stephen

--yoeRfslQKq6hDqSj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9wWQyrzgMPqB3kigRAq8WAJ9vekJgZ9HL87pm7j+VWsE70gNP9gCffZZj
G1sZLSUr25RjUngTru7Le8k=
=zS9h
-----END PGP SIGNATURE-----

--yoeRfslQKq6hDqSj--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/