Re: dh_installinit

To: debian-devel@lists.debian.org
Subject: Re: dh_installinit
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 11 Nov 2007 02:07:35 -0600
Message-id: <[🔎] 878x556w8o.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87wssp445e.fsf@windlord.stanford.edu> (Russ Allbery's message of "Sat, 10 Nov 2007 23:45:01 -0800")
References: <[🔎] 47320418.1030008@aliasource.fr> <[🔎] 87mytpoqg9.fsf@windlord.stanford.edu> <[🔎] 1194465540.47321904b069a@webmail.aliacom.local> <[🔎] 87k5otr1fg.fsf@windlord.stanford.edu> <[🔎] 473311F7.7020409@aliasource.fr> <[🔎] 2fly7d7lc1q.fsf@saruman.uio.no> <[🔎] 87wssrxpmr.fsf@windlord.stanford.edu> <[🔎] 87pryh6y0j.fsf@anzu.internal.golden-gryphon.com> <[🔎] 87wssp445e.fsf@windlord.stanford.edu>

On Sat, 10 Nov 2007 23:45:01 -0800, Russ Allbery <rra@debian.org> said: 

> Manoj Srivastava <srivasta@debian.org> writes:


>> Wearing my SELinux hat on, I find that daemons not closing file
>> descriptors when forking children result in a large number of AVC
>> denied messages. Of course, sometimes there are legitimate reasons
>> for not closing the descriptors (and these use cases can then be
>> explicitly allowed in the security policy).  Most cases, though, it
>> seems like the authors are just being lazy.

> From a security standpoint, isn't it clearly better to manage the file
> descriptors before invoking the daemon rather than just handing them
> all off to the daemon and trusting the daemon to close them?

        I would agree that no entity should be passing open file
 descriptors off to other processes unless this is  deliberate, and in
 that case a proper policy has been written for it.

> Insofar as there is any security impact here (which is dubious in most
> cases),

        Why do you say that? If a process acquires a file handle on a
 privileged file while running as dpkg_t; and passes it to debconf
 running as debconf_t; why is there no security impact? dpkg_t might
 have more access than debconf_t in the policy being run.

> I'd say that passing the open debconf file descriptor to the
> daemon is wrong regardless of whether the daemon closes it or not.

        Yes.

        manoj
-- 
QOTD: "I thought I saw a unicorn on the way over, but it was just a
horse with one of the horns broken off."
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: dh_installinit
  - From: Vincent Danjean <vdanjean.ml@free.fr>
- Re: dh_installinit
  - From: Russ Allbery <rra@debian.org>

References:
- dh_installinit
  - From: Sylvain Garcia <sylvain.garcia@aliasource.fr>
- Re: dh_installinit
  - From: Russ Allbery <rra@debian.org>
- Re: dh_installinit
  - From: Sylvain Garcia <sylvain.garcia@aliasource.fr>
- Re: dh_installinit
  - From: Russ Allbery <rra@debian.org>
- Re: dh_installinit
  - From: Sylvain Garcia <sylvain.garcia@aliasource.fr>
- Re: dh_installinit
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: dh_installinit
  - From: Russ Allbery <rra@debian.org>
- Re: dh_installinit
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: dh_installinit
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: dh_installinit
Next by Date: Re: RFC: cups as "default" printing system for lenny?
Previous by thread: Re: dh_installinit
Next by thread: Re: dh_installinit
Index(es):
- Date
- Thread