[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dh_installinit

On Sat, 10 Nov 2007 23:45:01 -0800, Russ Allbery <rra@debian.org> said: 

> Manoj Srivastava <srivasta@debian.org> writes:

>> Wearing my SELinux hat on, I find that daemons not closing file
>> descriptors when forking children result in a large number of AVC
>> denied messages. Of course, sometimes there are legitimate reasons
>> for not closing the descriptors (and these use cases can then be
>> explicitly allowed in the security policy).  Most cases, though, it
>> seems like the authors are just being lazy.

> From a security standpoint, isn't it clearly better to manage the file
> descriptors before invoking the daemon rather than just handing them
> all off to the daemon and trusting the daemon to close them?

        I would agree that no entity should be passing open file
 descriptors off to other processes unless this is  deliberate, and in
 that case a proper policy has been written for it.

> Insofar as there is any security impact here (which is dubious in most
> cases),

        Why do you say that? If a process acquires a file handle on a
 privileged file while running as dpkg_t; and passes it to debconf
 running as debconf_t; why is there no security impact? dpkg_t might
 have more access than debconf_t in the policy being run.

> I'd say that passing the open debconf file descriptor to the
> daemon is wrong regardless of whether the daemon closes it or not.


QOTD: "I thought I saw a unicorn on the way over, but it was just a
horse with one of the horns broken off."
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: