[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SUID executable policy?



On Tue, 2007-04-10 at 12:32 -0400, Alan Cox wrote:
> On Tue, Apr 10, 2007 at 10:49:41AM -0400, Adam Jackson wrote:
> > Exposing the SMBIOS table as a device would be a start.  There's
> > precedent for drivers that do little else besides map a specific region
> > of memory, since /dev/mem is just way too coarse-grained.
> 
> Now let me see. A device driver is more privilged than a setuid binary and
> more attackable. It can't be swapped and it is hard to change as part of
> the kernel.
> 
> Why is a device driver better for this ?

It's a comparable amount of code either way, the auditing is trivial,
changes require a package update either way, and /dev/mem is a bad API
whose use we should not be encouraging.  I am unconvinced by your
reasoning here.

I'm not interested in arguing though.

- ajax


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]