Re: /sbin/reboot and secmodel

To: mouse%netbsd.org@localhost
Subject: Re: /sbin/reboot and secmodel
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Tue, 18 Mar 2008 13:44:44 +0200

der Mouse wrote:

Assuming you could do that, how would you make sure that a user
granted the ability to reboot the system does not take advantage of
this ability to let the reboot program kill some processes, and
then SIGKILL it?

Exactly.  That's the weakness I see (Brian too, apparently).

I don't see why this isn't solved by moving this work to init (not
the kernel, please).


In this particular instance, it is.  But this is not going to be the
last time some multi-part privileged task causes trouble because
granting the privilege to perform its parts is far more than should be
granted to perform the conceptual task, and eventually one of them will
be impractically difficult to solve by pushing the whole task into some
already-existing privileged process.


I'm not sure. We can't base our design on speculations, we'll have to
actually look for more problems like this. Perhaps we'll find them
faster with people trying to use the new secmodel features. :)

-e.

Follow-Ups:
- Re: /sbin/reboot and secmodel
  - From: der Mouse

References:
- Re: /sbin/reboot and secmodel
  - From: Brian Buhrow
- Re: /sbin/reboot and secmodel
  - From: Elad Efrat
- Re: /sbin/reboot and secmodel
  - From: der Mouse
- Re: /sbin/reboot and secmodel
  - From: Daniel Carosone
- Re: /sbin/reboot and secmodel
  - From: der Mouse

Prev by Date: Re: /sbin/reboot and secmodel
Next by Date: Re: /sbin/reboot and secmodel
Previous by Thread: Re: /sbin/reboot and secmodel
Next by Thread: Re: /sbin/reboot and secmodel
Indexes:

Home | Main Index | Thread Index | Old Index