Date: Wed, 21 Jan 2015 13:54:29 +0300 From: Solar Designer <solar@...nwall.com> To: Ben Hutchings <ben@...adent.org.uk> Cc: oss-security@...ts.openwall.com Subject: Re: [RFC PATCH RESEND] vfs: Move security_inode_killpriv() after permission checks Ben, all - On Sat, Jan 17, 2015 at 11:26:46PM +0000, Ben Hutchings wrote: > chown() and write() should clear all privilege attributes on > a file - setuid, setgid, setcap and any other extended > privilege attributes. > > However, any attributes beyond setuid and setgid are managed by the > LSM and not directly by the filesystem, so they cannot be set along > with the other attributes. [...] First of all, thank you for your work on the Linux kernel! Going forward, I think it may be better to CC this sort of messages to the kernel-hardening list (like it's been done on some occasions before, see below) rather than to oss-security - and only post summary messages to oss-security, separately (not CC'ed to anywhere else). And yes, I'd like to see those summaries and occasional status updates in here (if a relevant issue is being discussed on LKML and/or kernel-hardening) - just not entire LKML threads in full detail (which often includes comments on coding style, multiple patch revisions, etc.) http://www.openwall.com/lists/kernel-hardening/ oss-security isn't focused on Linux (let alone the kernel) to an extent where having lengthy/multiple LKML threads CC'ed in here would be appropriate, and it's too tough a job for list moderators to choose to let only some of the messages in a thread like this through to the list (besides, if a message in a thread is rejected, this annoys/discourages the sender, and it breaks threading in some archives/MUAs). The three messages in this thread so far are luckily OK for oss-security as well, but I am concerned about the general practice and where it would lead us. I suggest that we do let further messages in this thread to oss-security (unless there are too many or they wander too far), but for further occasions please consider the kernel-hardening list (with only summaries and infrequent status updates to be sent to oss-security). Thanks again, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.