Mailinglist Archive: opensuse-factory (564 mails)
| < Previous | Next > |
[opensuse-factory] Re: [opensuse-kernel] debugfs mounted by default - necessary?
- From: Greg KH <gregkh@xxxxxxx>
- Date: Tue, 6 Dec 2011 09:08:24 -0800
- Message-id: <20111206170824.GA28308@suse.de>
On Tue, Dec 06, 2011 at 05:32:55PM +0100, Marcus Meissner wrote:
That fear will always be there, it conflicts with the need/want for new
features and functionality.
Please remember that my first full-time Linux job was as a security
worker, I know this field very well. Because of that job, the whole LSM
layer in the kernel was created to try to mitigate these types of
problems, along with the product that today is called apparmor. That
tool does mitigate the attack surface very well, and we support it for
people who are worried about just such things.
Of course, but then again, you need to balance it with the need of those
same users for those new features and requirements.
To shut down whole subsystems of the kernel just because you "fear" it,
and have not audited it all to your satisfaction is one reaction, but
one that again, goes against what has made Linux successful in the first
place (fast moving where competitors did not.)
I do manage such servers, and I do reduce the attack surface on them.
But here you are saying that you want to wholesale remove functionality
by default, of systems that have already shipped, just because you now
fear the unknown of what is in them.
Why not take the 2-3 days and audit the files to remove that fear that
you seem to have. That seems like the more sane aproach here, not going
around saying "your 12.1 system is now exposed to the elements, quick,
change the defaults because we really have no idea what is going on
here!", which is what is happening now, right?
thanks,
greg k-h
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
On Tue, Dec 06, 2011 at 07:37:10AM -0800, Greg KH wrote:
...
Again, what specifically is wrong with debugfs that is causing problems?
Nothing.
Is it just the fear of the unknown?
The fear of the yet undiscovered problems.
That fear will always be there, it conflicts with the need/want for new
features and functionality.
This "fear of the unknown" for a feature of the kernel that has been
there for a very long time is quite strange to me.
And again, if there are problems found with any type of security related
information leakage that should not be there in debugfs, let us know, it
will get fixed.
But don't outright ban the thing just because you are "afraid" of it,
that's wrong.
Please try to think as a security worker for a short moment...
Please remember that my first full-time Linux job was as a security
worker, I know this field very well. Because of that job, the whole LSM
layer in the kernel was created to try to mitigate these types of
problems, along with the product that today is called apparmor. That
tool does mitigate the attack surface very well, and we support it for
people who are worried about just such things.
"If there are problems, tell us, we fix it" ... this is the way the
security world works today (and it works basically).
But this is a huge and ever turning treadmill where we (security and
developers) can barely keep up running.
What we (security and likely our users) want is a smaller or lower
running treadmill.
Of course, but then again, you need to balance it with the need of those
same users for those new features and requirements.
To shut down whole subsystems of the kernel just because you "fear" it,
and have not audited it all to your satisfaction is one reaction, but
one that again, goes against what has made Linux successful in the first
place (fast moving where competitors did not.)
This means reducing what we call (and should be self explanatory)
"attack surface".
And yes, it is fear.
Fear of the "yet unknown security holes the blackhats know about" or
for our users the fear of "unknown if hackers have broken in already
because we have not all updates or unknown issues."
Do you not manage server(s) and fear such breakins?
I do manage such servers, and I do reduce the attack surface on them.
But here you are saying that you want to wholesale remove functionality
by default, of systems that have already shipped, just because you now
fear the unknown of what is in them.
Why not take the 2-3 days and audit the files to remove that fear that
you seem to have. That seems like the more sane aproach here, not going
around saying "your 12.1 system is now exposed to the elements, quick,
change the defaults because we really have no idea what is going on
here!", which is what is happening now, right?
thanks,
greg k-h
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |