Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.

---

• From: Radoslaw Szkodzinski (AstralStorm) <lkml@xxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 19 Dec 2007 20:14:39 +0100

---

On Wed, 19 Dec 2007 21:11:11 +0900
Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:

Hello.

Radoslaw Szkodzinski (AstralStorm) wrote:

Actually, who needs to create device nodes? Just prohibit everyone from
creating them, except "installer" and "udev" personality.
This means removing CAP_MKNOD on a global scale.

What happens if the root tampers udev's configuration file?
The udev will create inappropriate (i.e. filename with unexpected attributes)
device nodes, won't it?

Yes. But root doesn't need access to these files, at least not usually.
Create a separate user for editing config files - much lower
probability of breakage. Remove almost all capabilities from root and
profit.

After all, revoking CAP_MKNOD is not enough for guaranteeing
filename and its attributes.

This filesystem is designed to guarantee filename and its attributes,
but this filesystem has additional access control capability.
You can forbid mknod/unlink /dev/null if you want nobody to do so.
You can forbid chmod/chown /dev/null if you want nobody to do so.

You can forbid all operations on /dev (except udev) with an ACL.
So, what is the need for this filesystem?

Attachment: signature.asc
Description: PGP signature

---

• References:
  • Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
    • From: Tetsuo Handa
  • Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
    • From: Indan Zupancic
  • Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
    • From: Al Boldi
  • Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
    • From: AstralStorm
  • Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
    • From: Tetsuo Handa

• Prev by Date: Re: Out of memory and no killable processes: 2.6.22-2-686-bigmem
• Next by Date: Re: [PATCH 0/7] Intro: convert lockd to kthread and fix use-after-free (try #3)
• Previous by thread: Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
• Next by thread: Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Unable to set DISPLAY localhost:0.0 / Solved ... [root@localhost root]# date ... # This is the ssh client system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ... (Fedora) Re: udev trouble ... devfs with udev. ... udev thinks the SATA drives aren't SCSI, ... Waiting for root file system... ... So I went back to my old kernel. ... (Debian-User) Re: readonly NFS root: udev means cant use stock kernel? (long) ... ('ga010133vm3' is my test NFS root client. ... This is a bind mount of /dev done done by udev. ... The first entry I guess is the one added by the kernel ... second client mount the same NFS root filesystem. ... (Debian-User) Re: Enabling telnet, ftp, pop3 for root... ... would be impossible to admin a system without giving access to an ... files without needing to use an editor as root. ... writable space of a user over a system-wide configuration file. ... (alt.os.linux) Re: Enabling telnet, ftp, pop3 for root... ... You can write small wrapper scripts or programs, ... files without needing to use an editor as root. ... writable space of a user over a system-wide configuration file. ... (alt.os.linux)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Kernel  > 2007-12