|
|
Subscribe / Log in / New account

Debian TC vote on init system coupling

Debian TC vote on init system coupling

Posted Feb 28, 2014 18:57 UTC (Fri) by mathstuf (subscriber, #69389)
In reply to: Debian TC vote on init system coupling by javispedro
Parent article: Debian TC vote on init system coupling

Maybe this is the security flaw being mentioned that Cyberax is questing for? Do you have more details?

to post comments

Debian TC vote on init system coupling

Posted Feb 28, 2014 20:06 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

It's not a security issue, really.

A root process can simply move itself to another cgroup hierarchy, since it has access to cgroups.

And a single writer model won't really protect against it because a malicious root process can simply ptrace or replace the cgroups manager with a modified version that allows it to do anything.

Additional confinement is needed to fix this problem, in any case. Be it namespaces, SELinux, AppArmor or something else.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds