[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Heads up for login managers

From: Alan Cox <alan redhat com>
To: List for Fedora Package Maintainers <fedora-maintainers redhat com>
Cc: David Zeuthen <davidz redhat com>
Subject: Re: Heads up for login managers
Date: Mon, 12 Feb 2007 14:52:26 -0500

On Mon, Feb 12, 2007 at 02:42:46PM -0500, Bill Nottingham wrote:
> > So could UID. All you need is a unique identifier for each session. UID can do 
> > that. Whatever you use, it has to be auditable.
> 
> UID isn't unique among sessions.

Our security boundary is the user not the session. Its a fundamental design
upon which the OS is based. The cookie is not unique amongst sessions either
because I can pass it around freely within tasks with my uid just as I should
be able to, and even if I couldn't I could ptrace patch a program with the
cookie and my uid to do what I wanted.

You could build a security model around this, but then I start the following
app in my desktop 

	while(1)
		read command from named pipe
		execute command
		write status to named pipe

and we are back to the fact that security in Linux systems is tied to the user
(or with SELinux arguably user/role, and then the user/role matters not
a cookie)

Tell me why your security model gains from poking around unreliably in the
environment of a task (which is also btw really slow and a path we optimise
against not for) as opposed to operating on the uid.

Alan

Follow-Ups:
- Re: Heads up for login managers
  - From: David Zeuthen

References:
- Heads up for login managers
  - From: David Zeuthen
- Re: Heads up for login managers
  - From: Steve Grubb
- Re: Heads up for login managers
  - From: David Zeuthen
- Re: Heads up for login managers
  - From: Steve Grubb
- Re: Heads up for login managers
  - From: Bill Nottingham

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]