The kdbuswreck
The kdbuswreck
Posted Apr 22, 2015 22:12 UTC (Wed) by mezcalero (subscriber, #45103)In reply to: The kdbuswreck by corbet
Parent article: The kdbuswreck
"Well, then, I'm genuinely confused. If you don't need the capability, why bother checking for it? If you're saying you're doing some other check (user running on the desktop, say), well, I didn't quite catch that. But I said "if", not "iff", so I can claim to have gotten it right :) "
Well, there are multiple ways how things can be authorized. Here's an example: logind will allow you to kill all processes belonging to a specific user session either if you have CAP_SYS_KILL, or if your user id matches the session's user. Neither of these security checks is mandatory individually, but having one of them is sufficient. That's the exact same way the kernel makes it's permission checks on CAP_SYS_KILL. This isn't an algorithm we invented, that's *HOW THESE THINGS WORK*!
And no, you can *not* claim you got this right, you did not. You wrote "only".
Reply to your third reply:
"The message from you linked in the article starts with you saying "I have seen no use of userns for sandboxing normal daemons so far. I have seen tons of daemons using caps for such sandboxing." Obviously you think that should have been interpreted some other way?
The issue I have is that you connected "Lennart Poettering doesn't see this limitation as a problem" and "user namespaces are not (yet) heavily used" with that little word "because". I said both of these things, but I never said that one was because of the other. That's something you incorrectly made up.
Reply to your fourth reply:
"As you know, the "optional" nature of this is currently not universally believed. See the message from Andy linked at the point you stopped quoting."
Oh well, if you don't believe what the kdbus folks say, how about actually *checking* the kdbus code? It's all open, for review. Also why would you assume that the kdbus developers are dishonest about this?
Reply to your fifth reply:
"Well, I quoted what you said. In retrospect it would have been better if I'd said "implement a new" instead of "support". They were suggesting you make something new and independent of capabilities, you clearly didn't like that idea — not entirely unreasonably, IMO."
There are two things you changed from what I said. In the mail you linked I said "...comprehensive new access control systems that can be used for in-kernel and in-userspace subsystems". First as you noticed by now, I said "new". Secondly, I said "comprehensive ... access control system ... for in-kernel and in-userspace subsystems", the emphasis being on *both* in-kernel and in-userspace here: caps can be that. PK cannot, it is userspace-only, and will never make sense in the kernel and it shouldn't have to.
Reply to your sixth reply:
You called this "kdbuswreck", not "kdbus discussion wreck" or similar. You know exactly how this works: people read the title and skip over the text, and "kdbus" and "wreck" is all that'll be stuck.
Anyway, please be more careful next time.