User: Password:
|
|
Subscribe / Log in / New account

"eventually"

"eventually"

Posted Jan 6, 2011 19:53 UTC (Thu) by drag (subscriber, #31333)
In reply to: "eventually" by tialaramex
Parent article: Spengler: False Boundaries and Arbitrary Code Execution

having the ability to sniff passwords/keys/monitor sudo access/etc etc.

All these things quantify as serious issues were you might as well just give them root immediately. Sure there is a practical difference; Maybe somebody has enough intelligence to run a prepared script to exploit a capability-privilaged binary, but not enough smarts enough to know what to do with the ability to ptrace a shell account or whatever... so you _might_ be better off. Maybe not. Maybe you'll win the lottery, too. Maybe nobody will notice that your SMTP server is misconfigured to be a open relay.

But from the perspective of having to actually secure a system it really does not matter.

The difference of a few cycles to get UID0 to a few days to sniff root password is not really a big deal when faced with a exploitable vulnerability.


(Log in to post comments)

"eventually"

Posted Jan 6, 2011 20:11 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

So there's no benefit in strong passwords, because they only extend the time taken to guess them when compared to weak passwords? Security isn't a binary decision. A capability-based system may still be insecure, and some capabilities are trivially equivalent to root and therefore pretty much useless. But being able to snoop passwords off a tty isn't a win if the system's only ever logged into via key-based accounts, and so a system where your exploited daemon only gives you that option may be more secure than a system where that daemon gives you root immediately.

"eventually"

Posted Jan 7, 2011 0:34 UTC (Fri) by drag (subscriber, #31333) [Link]

> So there's no benefit in strong passwords, because they only extend the time taken to guess them when compared to weak passwords?

Isn't this like begging the question, strawman, or some other sort of logical fallacy?

The difference between a weak password (puppy) versus strong password (rE$l1^=^)vCQzI,m>M\m) is several orders of magnitude difference versus what we are discussing here. So much so that it does not have any relevance at all.

> Security isn't a binary decision.

I am glad I never said it was.

> A capability-based system may still be insecure, and some capabilities are trivially equivalent to root and therefore pretty much useless.

It depends on what capabilities your actually enabling. The benefits over 'setuid 0' can range from 'none' to 'everything in the world'.

"eventually"

Posted Jan 7, 2011 0:35 UTC (Fri) by drag (subscriber, #31333) [Link]

(depending on the situation)

"eventually"

Posted Jan 7, 2011 2:11 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

You said "The difference of a few cycles to get UID0 to a few days to sniff root password is not really a big deal when faced with a exploitable vulnerability", which I think oversimplifies. Whether it's a big deal or not is context dependent, whereas if the daemon were running as uid 0 it'd be guaranteed to be a big deal.

"eventually"

Posted Jan 7, 2011 6:25 UTC (Fri) by dlang (subscriber, #313) [Link]

a weak password vs a strong password sounds like a similar difference to wha tyou would have between a fraction of a second (clock cycles) and a few days (waiting for someone to login and sniffing their password)

1 second to one day is four orders of magnatude.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds