Heads up for login managers
Alan Cox
alan at redhat.com
Mon Feb 12 19:52:26 UTC 2007
On Mon, Feb 12, 2007 at 02:42:46PM -0500, Bill Nottingham wrote:
> > So could UID. All you need is a unique identifier for each session. UID can do
> > that. Whatever you use, it has to be auditable.
>
> UID isn't unique among sessions.
Our security boundary is the user not the session. Its a fundamental design
upon which the OS is based. The cookie is not unique amongst sessions either
because I can pass it around freely within tasks with my uid just as I should
be able to, and even if I couldn't I could ptrace patch a program with the
cookie and my uid to do what I wanted.
You could build a security model around this, but then I start the following
app in my desktop
while(1)
read command from named pipe
execute command
write status to named pipe
and we are back to the fact that security in Linux systems is tied to the user
(or with SELinux arguably user/role, and then the user/role matters not
a cookie)
Tell me why your security model gains from poking around unreliably in the
environment of a task (which is also btw really slow and a path we optimise
against not for) as opposed to operating on the uid.
Alan
More information about the Fedora-maintainers
mailing list