[Top] [All Lists]

Re: Chattr

To: Ethan Benson <erbenson@xxxxxxxxxx>
Subject: Re: Chattr
From: Andi Kleen <ak@xxxxxxx>
Date: Wed, 1 May 2002 10:15:45 +0200
Cc: linux-xfs@xxxxxxxxxxx
In-reply-to: <20020430232643.Q21791@xxxxxxxxxxxxxxx>
References: <1020174674.24262.0.camel@xxxxxxxxxxxxxxxxxxxx> <20020430062608.M21791@xxxxxxxxxxxxxxx> <1020178382.24279.31.camel@xxxxxxxxxxxxxxxxxxxx> <20020430232706.A28044@xxxxxxxxxxxxx> <20020430143115.O21791@xxxxxxxxxxxxxxx> <20020501014919.A12139@xxxxxxxxxxxxx> <1020210550.1179.3.camel@xxxxxxxxxxxxxxxxxxxxx> <1020211474.1179.6.camel@xxxxxxxxxxxxxxxxxxxxx> <20020501023726.A15270@xxxxxxxxxxxxx> <20020430232643.Q21791@xxxxxxxxxxxxxxx>
Sender: owner-linux-xfs@xxxxxxxxxxx
User-agent: Mutt/
On Tue, Apr 30, 2002 at 11:26:43PM -0800, Ethan Benson wrote:
> > P.S.: Overall I don't think immutable/append-only are too useful because 
> > attackers can always get rid of them by mknod'ing a device and writing to 
> > the 
> > disk directly and forcing an inode flush. So it may not be worth much 
> > effort 
> > for the pseudo security ones, as they only give a false sense of security. 
> this is only because linux' capability system is currently broken, on
> *BSD once the secure level is raised root can no longer access raw
> devices of mounted filesystems, if you raise it to 2 then all raw disk
> devices are blocked.  linux just either needs to add a capability to
> restrict access to mounted fs block devices and/or all block devices,
> or just deny access when CAP_LINUX_IMMUTABLE (or maybe CAP_SYS_RAWIO) is
> removed.  

It's still useless. As long as you have access to /dev/mem you can
patch kernel code which eventually leads to being able to access
raw disks (just load your own driver, not very difficult).

When you disable /dev/mem e.g. your X server stops working.

Even when you disable /dev/mem there are often other ways to access
kernel memory as root, e.g. often drivers have some mainteance ioctls
that can be used to trick some hardware into doing DMA from/to your
buffer. As soon as you can do DMA you have full access to all memory,
equivalent to /dev/mem.

There are good reasons linux never implemented the BSD security level
(it was briefly there in 2.0, but dropped because it was showed to be 
useless). It's also the reason why few people use the existing linux
capabilities BTW. With some creativity most capabilities can be used
to eventually access memory or change raw disk, and that leads to 
"super root".

> > The only ones that may be worth it are 'S' (force O_SYNC, especially
> > for directories e.g. to handle qmail/postfix spool dirs without forcing
> > synchronous for the whole fs), 'A' (no atime) and 'd' for incremental 
> > backup purposes.
> noatime is not that useful IMO, if your worried about atime updates
> there is a mount option, agreed on S(ync).

It is useful for crontab on laptops for example to prevent the disk
spinning up just for the inode flush. noatime is too big a sledgehammer.


<Prev in Thread] Current Thread [Next in Thread>