LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Jaunty not even getting security updates.

Jaunty not even getting security updates.

Posted Nov 22, 2010 12:10 UTC (Mon) by Karellen (subscriber, #67644)
In reply to: Jaunty not even getting security updates. by error27
Parent article: Kernel prepatch 2.6.37-rc3

Yes, but it's not an absolute rule. For instance, it normally doesn't override security. If there's a (mis)feature which allows attackers to get root on you machine, and userspace relies on it, in that case it's normally tough luck to userspace.

Which means I'm not sure I would agree with this revert, as the opposite effect should also be achievable in userspace with a "chmod +r /proc/kallsyms" early in the bootup scripts. Those that want or need to enable the original behaviour can do so, while completely eliminating the (albeit brief) period of lesser security that the revert introduces for all users.

Surely the kernel should be as secure as possible by default, no?

(Log in to post comments)

Jaunty not even getting security updates.

Posted Nov 22, 2010 12:40 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]

Yeah. I think distributions should revert this revert and get a more secure default till the Jaunty thing is not a concern anymore.

Jaunty not even getting security updates.

Posted Nov 22, 2010 14:02 UTC (Mon) by tao (subscriber, #17563) [Link]

You're missing something here. If the attacker can access the file during boot, they already has root privileges on your machine, since they were able to install an initscript...

That said, I agree that taking broken userland behaviour in consideration in this case is stupid; Jaunty is unlikely to ship 2.6.37 anyway. Anyone installing a non-distro kernel should know what they're doing, and thus be able to also patch the relevant package that breaks because of this.

Jaunty not even getting security updates.

Posted Nov 22, 2010 15:22 UTC (Mon) by Karellen (subscriber, #67644) [Link]

I am aware of that, and partly agree, but that response falls very close to the "it's only a theoretical problem; there's no way anyone will be able to actually exploit it" argument beloved of some proprietary software companies with terrible security track records.

Bolstered by the old cryptography saw that anyone can invent a cryptosystem which they themselves are not smart enough to crack, I'm not going to claim that just because I can't think of a way to exploit this problem, it cannot be exploited. Attackers can be fiendishly devious. I'd rather err on the side of caution.

Jaunty not even getting security updates.

Posted Nov 23, 2010 5:58 UTC (Tue) by error27 (subscriber, #8346) [Link]

Kernel hackers upgrade their kernel a lot. You can't even imagine how enraged they would be if your idea was adopted. :P Also we want people to upgrade their kernels as easily as possible because we need testers.

If you're running a distro kernel then changing the permissions on kallsysms is pointless anyway.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds