[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: SUID executable policy?
- From: Adam Jackson <ajackson redhat com>
- To: Development discussions related to Fedora Core <fedora-devel-list redhat com>
- Subject: Re: SUID executable policy?
- Date: Tue, 10 Apr 2007 14:00:02 -0400
On Tue, 2007-04-10 at 12:32 -0400, Alan Cox wrote:
> On Tue, Apr 10, 2007 at 10:49:41AM -0400, Adam Jackson wrote:
> > Exposing the SMBIOS table as a device would be a start. There's
> > precedent for drivers that do little else besides map a specific region
> > of memory, since /dev/mem is just way too coarse-grained.
>
> Now let me see. A device driver is more privilged than a setuid binary and
> more attackable. It can't be swapped and it is hard to change as part of
> the kernel.
>
> Why is a device driver better for this ?
It's a comparable amount of code either way, the auditing is trivial,
changes require a package update either way, and /dev/mem is a bad API
whose use we should not be encouraging. I am unconvinced by your
reasoning here.
I'm not interested in arguing though.
- ajax
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]