[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [MiNT] Was: /proc, will be: /sys



> Do we want a fascist OS?

If fascism can be enabled when needed (and disabled when needed), yes, I
want such a kind of "fascism" :-)

> Let's face it, you will never find a MiNT-box
> running some high-security critical applications.

Yes, nobody will setup a 'secure' setup on a MiNT box, but this is not
a reason to not have improved security - this is a *consequence* of the
fact that MiNT is insecure. So you're generally right, but the problem you
pointed out goes exactly the other way around.

Let me do a small summary. A lot of code in MiNT looks like this:

	if (curproc->euid)
		something();
	else
		something_else();

I ask myself, what is this is all for? Obviously, such a piece of code
prevents an user with euid > 0 from achieving the same privileges as the
user with euid = 0 (root). There are privilege levels implemented, groups
of users, access permissions and God knows what else - what for? Of
course, for security in a multiuser setup. If MiNT would be intended just
as an Unix emulator for 1-person-usage, I think that most of this code
could be easily thrown out of the kernel. But it is there and it is called
"multiuser support".

At the other hand, the "multiuser support" and such code as shown above,
can be still easily worked around with few perfectly legal system calls,
so that any user can become root after a fraction of a second. So we not
only have a hybrid of DOS and Unix, we also seem to have a weird hybrid of
a single-user and multiuser system, a hybrid of secure and insecure OS.
This results in "averagely secure" OS, so that anyone who actually know a
programming language and read the Atari documentation with some
understanding - may hack the root account in a minute.

All this is a bit illogical. IMHO, we should either decide to drop the
multiuser support and throw it out of the kernel (making it smaller), or
do some additional efforts to fix the holes so that if anyone WANTS to
have a secure system, COULD configure it so. For now the "non-fascist OS"
we have makes it impossible, effectively limiting users possibilities
thanks to limited security.

I'd be of course for expanding security features and for tending to have a
secure OS, especially if we aren't so far from achieving this. And this is
not a question of what the ps command displays, but the question of the
programming interface it uses. And still, if anyone DOES NOT want security
and does NOT run a multiuser setup, can rely on the old "insecure"
behaviour - that's what the SECURELEVEL has been invented for. If
something does not work on SECURELEVEL = 0 (and it did before), it is not
a question of fascist tendentions among programmers heavily attacked by
the seucrity paranoia, but it is just a standard, normal, regular, daily
bug to search for and fix.

> IMO, "security"-feautures
> should make the system more stable and "idiot-proof", not to protect us
> against vicious hackers.

This is also needed (and this is also what I am concerned on, because I
like stable and idiot proof systems), but this is not called security -
this is called bugfixing :-)

> I would be very surprised if anybody ever bothered
> using whatever info you can get from /proc to hack a MiNT-box.

I can actually think about FOUR methods of using /proc filesystem to grant
root privileges for a non-root user shell.

--
Konrad M.Kokoszkiewicz
|mail: draco@atari.org                  |  Atari Falcon030 user   |
|http://www.obta.uw.edu.pl/~draco/      | Moderator gregis LATINE |
|http://draco.atari.org                 |       (loquentium)      |

** Ea natura multitudinis est,
** aut servit humiliter, aut superbe dominatur (Liv. XXIV,25)
*************************************************************
** U pospolstwa normalne jest, ze albo sluzy ono unizenie,
** albo bezczelnie sie panoszy.