On Sat, 10 Nov 2007 23:45:01 -0800, Russ Allbery <[EMAIL PROTECTED]> said:
> Manoj Srivastava <[EMAIL PROTECTED]> writes: >> Wearing my SELinux hat on, I find that daemons not closing file >> descriptors when forking children result in a large number of AVC >> denied messages. Of course, sometimes there are legitimate reasons >> for not closing the descriptors (and these use cases can then be >> explicitly allowed in the security policy). Most cases, though, it >> seems like the authors are just being lazy. > From a security standpoint, isn't it clearly better to manage the file > descriptors before invoking the daemon rather than just handing them > all off to the daemon and trusting the daemon to close them? I would agree that no entity should be passing open file descriptors off to other processes unless this is deliberate, and in that case a proper policy has been written for it. > Insofar as there is any security impact here (which is dubious in most > cases), Why do you say that? If a process acquires a file handle on a privileged file while running as dpkg_t; and passes it to debconf running as debconf_t; why is there no security impact? dpkg_t might have more access than debconf_t in the policy being run. > I'd say that passing the open debconf file descriptor to the > daemon is wrong regardless of whether the daemon closes it or not. Yes. manoj -- QOTD: "I thought I saw a unicorn on the way over, but it was just a horse with one of the horns broken off." Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]