Re: Please read if you use x86 -current

[Thor Lancelot Simon <tls%rek.tjls.com@localhost>]

On Thu, Nov 13, 2008 at 08:20:26PM +0200, Antti Kantee wrote:
> 
> Uh, so let me try to see if I understood you now.  Are you suggesting
> you're worried that a process with root priviledges can compromise
> system security?

Yes.  The 4.4BSD security policy is specifically designed to prevent
this, and it works very well.  A process running as root on _this_
instance of the system is not supposed to be able to alter the state
of _future_ instances of the system.  This constrains the amount of
work necessary to clean up from the exploitation of a security hole
in some specific piece of userspace code.

> I do not recommend running a file server as root, *especially not*
> when running against an untrusted image.  Or do people run a http or
> name server as root also?

That isn't (all of) the problem.  In order to use user-space file
servers *running as any user*, the user has to allow user access to
raw devices.  As soon as you do that, root processes can bypass the
security policy.  That is the major problem.

> In other words, the security problem for the userspace file system server
> scenario does not exist.

If you're willing to abandon the protection the 4.4BSD model gives you
against persistent system compromise, perhaps that's so.  But we have
not thrown out the security model so far, and I can't see why this is
a good time to suddenly decide it's not worth thinking about any more.

-- 
Thor Lancelot Simon                                        
tls%rek.tjls.com@localhost
    "Even experienced UNIX users occasionally enter rm *.* at the UNIX
     prompt only to realize too late that they have removed the wrong
     segment of the directory structure." - Microsoft WSS whitepaper