LWN.net Logo

Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BSD-style securelevel comes to Linux — again

BSD-style securelevel comes to Linux — again

Posted Sep 11, 2013 22:11 UTC (Wed) by dashesy (subscriber, #74652)
In reply to: BSD-style securelevel comes to Linux — again by bronson
Parent article: BSD-style securelevel comes to Linux — again

Since only owners (and not even root) can change hypothetical /sys/owner a user can change it if she is the owner. If you buy a phone, and cat /sys/owner shows Random Vendor, and cannot change that value, then you have just leased the phone, but at least you know this up front. It would be interesting to buy a car with IVI, and look at its owner.

(Log in to post comments)

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 1:17 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

You seem to be saying if one isn't running with full privileges, then one is not the owner of the system (someone else is), and that misses the point of secure boot.

Secure boot is about saying, "I own this system, but don't let me modify my kernel." Reason: someone might trick me into trying to modify the kernel against my interests. Or I could be walking in my sleep.

It's like a werewolf chaining himself up at sunset on a full moon night.

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 1:28 UTC (Fri) by dashesy (subscriber, #74652) [Link]

As long as there is anyway to own the device, you are the owner. If it requires soldering (or connecting BIOS to flash programmer) though, that does not count.

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 2:08 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

You lost me in the circular definition: anyone who is capable of owning is the owner. In normal English, anyone who actually does own is the owner. This appears to parse as, "the owner is a person who is capable of being the owner."

So who is the person identifed in the sysfs file? The person who owns or the person who is capable of owning (there could be many or none, I guess). Likewise, does the OWNER security mode mean programs have the privileges of owning or just are capable of getting them?

What it seems to come around to is that the highest security mode has to be called something other than OWNER in order for it to make any sense for a person to choose to run in a lower mode -- and that choice does make sense.

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 17:19 UTC (Fri) by rsidd (subscriber, #2582) [Link]

I think you mean "pwn", not "own" :) In normal English, owners are not the same as superusers or sysadmins or vendors.

BSD-style securelevel comes to Linux — again

Posted Sep 13, 2013 17:25 UTC (Fri) by dashesy (subscriber, #74652) [Link]

Good point :)

Well for me I own a machine if I can do whatever I want with it (of course as long as it does not hurt others). Maybe I should have phrased it this way: I do not own a system if I cannot change /sys/owner name.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds