Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Jan 2015 13:54:29 +0300
From: Solar Designer <solar@...nwall.com>
To: Ben Hutchings <ben@...adent.org.uk>
Cc: oss-security@...ts.openwall.com
Subject: Re: [RFC PATCH RESEND] vfs: Move security_inode_killpriv() after permission checks

Ben, all -

On Sat, Jan 17, 2015 at 11:26:46PM +0000, Ben Hutchings wrote:
> chown() and write() should clear all privilege attributes on
> a file - setuid, setgid, setcap and any other extended
> privilege attributes.
> 
> However, any attributes beyond setuid and setgid are managed by the
> LSM and not directly by the filesystem, so they cannot be set along
> with the other attributes.
[...]

First of all, thank you for your work on the Linux kernel!

Going forward, I think it may be better to CC this sort of messages to
the kernel-hardening list (like it's been done on some occasions before,
see below) rather than to oss-security - and only post summary messages
to oss-security, separately (not CC'ed to anywhere else).  And yes, I'd
like to see those summaries and occasional status updates in here (if a
relevant issue is being discussed on LKML and/or kernel-hardening) -
just not entire LKML threads in full detail (which often includes
comments on coding style, multiple patch revisions, etc.)

http://www.openwall.com/lists/kernel-hardening/

oss-security isn't focused on Linux (let alone the kernel) to an extent
where having lengthy/multiple LKML threads CC'ed in here would be
appropriate, and it's too tough a job for list moderators to choose to
let only some of the messages in a thread like this through to the list
(besides, if a message in a thread is rejected, this annoys/discourages
the sender, and it breaks threading in some archives/MUAs).

The three messages in this thread so far are luckily OK for oss-security
as well, but I am concerned about the general practice and where it
would lead us.  I suggest that we do let further messages in this thread
to oss-security (unless there are too many or they wander too far), but
for further occasions please consider the kernel-hardening list (with
only summaries and infrequent status updates to be sent to oss-security).

Thanks again,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ