Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
This is wrong, wrong, wrong. How many times do we have to educate SELinux users on this?
In case you forgot, here's 8 videos for you to watch:
Or take it straight from the horse's mouth:
In the real world, attackers aren't interested in deleting your home directory. They sure are interested in launching kernel exploits though.
Posted Oct 20, 2009 19:48 UTC (Tue) by nix (subscriber, #2304)
Posted Oct 20, 2009 20:18 UTC (Tue) by njs (guest, #40338)
I am already familiar with all internet traditions everything you're trying to tell me -- patronizing, much?
But fyi, if I didn't already know what you were trying to say, I'd never get it from your post. I said SELinux is intended to lock down programs, and you just respond "wrong, wrong, wrong" and bemoan your sad fate where idiots like me keep saying things that... well, are true, actually, SELinux *is* designed for locking down programs. It is, of course, very important that it does not and can not guarantee effectiveness (despite all those fancy formal models), and also doesn't address the most important modern desktop threat models, but you didn't actually *say* that.
I think it's absolutely a good thing to open people's eyes to a more nuanced view of security, involving actual discussion of threat models, mitigation versus provably secure, reality-based estimates of exposure, all that good stuff. But your posts seem more interested in showing how terribly ill-used you are than in making the world a better place and frankly, dude, I think grsec's goals are awesome and I still don't care about your personal feelings. Esp. when you're so willing to sacrifice nuance and accuracy (SELinux *has* mitigated attacks, for all its imperfections) on the altar of axe-grinding.
Posted Oct 20, 2009 23:58 UTC (Tue) by spender (subscriber, #23067)
Let's break it down, since you didn't grasp my post apparently:
"making it so your firefox *can't* delete your home directory, even if someone tricks it into loading a bunch of arbitrary code from the web and executing it."
You said that what I quoted from you was "true" -- in what world?
If what you said was true, then an attacker *can't* (your emphasis) choose a kernel exploit as his/her arbitrary code to execute within the context of firefox (the recent perf_counter vuln is a perfect example of one that would work flawlessly), allowing the attacker to change UID to 0, disable SELinux, drop a shell, and then delete your home directory. Is that what you're saying? That that's impossible? Asterisks around "can't" suggests emphasis, and in this case, certitude. I would suggest wrapping it in quotes, or not using the word at all.
I'm really not understanding this: you say something explicitly that is absolutely wrong, I quote your exact sentence and point it out, then you not only insult my understanding of the subject, but claim that what you said was true. Please explain this to me, because clearly I'm in need of education.
Either you're not familiar at all with what I'm trying to tell you, or you don't know the answer to my initial two questions.
Posted Oct 20, 2009 23:59 UTC (Tue) by spender (subscriber, #23067)
Posted Oct 21, 2009 4:11 UTC (Wed) by njs (guest, #40338)
We both know perfectly well that what I described is a design goal for SELinux -- and that's true quite independently of whether this is a useful goal, and whether or not SELinux actually accomplishes it.
Now, absolutely, I was a bit lazy -- I could, maybe should, have gone further and pointed out that SELinux was far from a panacea. Arguably people are so commonly confused about what to expect from "security" code that we have a responsibility not to mislead them further, even by omission. And if you'd called me on that, then I'd have agreed and we'd go on our way, having made the world a slightly better place.
Calling me "wrong, wrong, wrong" and assuming that if I didn't bring up this tangential point then I must be completely ignorant -- that's a little different!
Yes, I really have read your posts here before and understand what you're saying. What I'm trying to say is that 1) I basically *agree* with all the factual/technical content you're trying to get out there; if anything, I'm on your side, but 2) you argue in such grating ways, mixing some excellent points with so much dishonest rhetoric, irrelevant grudges, and derailing of other discussions onto your hobbyhorses, that I'd rather not engage with you myself, and have perfect sympathy for kernel developers who ignore you.
The end result looks almost like a loop where you rant and rave about how no-one listens to you, everyone else goes "uh, maybe he has some points but I'm not sticking around to find out", and then this proves that no-one listens to you and confirms your misunderstood genius cred. If that works for you, great, but leave me out of it. We've all been misunderstood -- heck, Linus slanders some of my work on a pretty regular basis -- but if our goal is to actually accomplish stuff then we just ignore it and do our best make progress anyway with the hand we're dealt. (The irony is that doing this is what *actually* convinces bystanders that we're awesome, in a way that explaining how those idiots don't appreciate our work does not.)
Posted Oct 21, 2009 6:04 UTC (Wed) by dlang (✭ supporter ✭, #313)
Posted Oct 22, 2009 0:05 UTC (Thu) by nix (subscriber, #2304)
Posted Oct 22, 2009 1:44 UTC (Thu) by njs (guest, #40338)
And was online as recently as February:
Though I'm getting "no route to host" right now -- perhaps because it is getting warm again in Australia :-) (see last link)
Posted Oct 21, 2009 13:21 UTC (Wed) by spender (subscriber, #23067)
SELinux in general improves security by reducing attack surface.
SELinux (with proper policy) prevents applications from shooting themselves in the foot.
SELinux can increase required exploit complexity.
All of these statements I have no problem with.
Here's the root password to my SELinux-protected machine, you can't compromise it.
SELinux can guarantee firefox can't delete your home directory, even in the presence of a skilled attacker.
First two panels of the following: http://grsecurity.net/~spender/mac_security_sesamestreet.jpg (from http://magazine.redhat.com/2007/05/04/whats-new-in-selinu...)
that I take issue with, and will continue to point out when I see it. I wrote a section of our Wiki (http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System#L...) that puts the information up front (it's the first thing after describing what the RBAC system is) that we plan to update soon with more of a historical lesson of the environment from which access control systems and models originated, how the problem being solved at the time was curbing the problem of careless (specifically, not malicious -- they were considered trusted) administrators.
It was about people control, not program control. Modern day threats like determined/skilled/funded attackers or even modern networking weren't even part of the picture. Any time networking was discussed, it involved private, trusted networks where all machines involved were protected under the same security model. Clearly the Internet is not such a network.
So what you see from people who drink the kool-aid of these old security models and concepts is erroneous extrapolation to a modern environment that these things they hold in such high regard weren't even designed for. It's this kind of misguided illusion that I've been trying to inject doses of reality in for some years now.
As for actually accomplishing stuff, we spend a lot more time doing it than we do talking about it (for instance, I only recently wrote a list of what we developed over the past couple months: http://grsecurity.net/news.php#develup) but that doesn't have anything to do with the original discussion.
Types of attack
Posted Oct 22, 2009 8:49 UTC (Thu) by Cato (subscriber, #7643)
These show that home directories are of interest to malware writers, quite apart from scanning for passwords, financial information, etc. There is no reason why these attacks could not hit Linux, particularly through cross-platform browser/Flash exploits.
Blanket statements on the intentions of attackers aren't very useful - there are many sorts of attackers out there.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds