Subject: Re: sysctl knob to let sugid processes dump core (pr 15994)
To: YAMAMOTO Takashi <email@example.com>
From: Travis H. <firstname.lastname@example.org>
Date: 07/14/2006 01:04:19
Long time lurker, first time poster.
On 2/19/06, YAMAMOTO Takashi <email@example.com> wrote:
> btw, s/core/coredump/ might be better as "core" is a too vague term.
And too arcane. Very few people use core memory any more. Most
administrators don't know what it is. I recall a story where a user
wrote a document called core one time, and spent a great deal of time
on it before the cron jobs helpfully removed it.
I'm of the opinion that the primary reason firewalls are successful as
network security devices is that they put most of the network security
decisions in one place. You could theoretically run around and employ
access controls on every daemon in the enterprise, but it is a lot
less error-prone and time-consuming to do it at the network ingress
node. If you scatter them about, it seems like you're going to run a
higher risk of one or more being missed or misunderstood. Even if
there's a list in a file, in practice some amount of administrators
aren't going to bother to read it, or won't notice the cross-reference
from whatever other document they're studying. I best most will just
looking at the output of sysctl -a and trying to "wing it". I'm just
trying to approach this from a pragmatic, human-factors sort of
viewpoint, and I think if you don't group them, more break-ins will
occur as a consequence, and given the choice between inelegant and
0wned, I know which I'd choose.
Is there any way to maybe mark the security-related ones without
grouping them under security? For example, a prefix or suffix? Or a
binary flag, and a flag to sysctl to only list the security-relevant
knobs? Or printing a divider other than a colon in the sysctl output,
after the name (I suggest an exclamation point)?
I know! Sysctl inodes and hardlinks :-) J/K
Resolve is what distinguishes a person who has failed from a failure.
Security "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484