[rsbac] Re: rsbac 1.2.3
spender at grsecurity.net
spender at grsecurity.net
Tue Jun 29 18:49:08 CEST 2004
> I am looking forward to your bug reports. BTW, does this root user require
> specific Linux caps to break out of the jail? Only asking, I have no
> details yet.
No capabilities are required. The one method you've already solved in
one way but don't realize/know that there are multiple ways to perform
the same filesystem actions.
> This is getting ridiculous. Do you want me to state on the RSBAC main page
> that even you reported the existence of bugs and indirectly provided some
> anonymous testing code, but rather wanted to teach me your way of coding
> than getting the bugs fixed ASAP? I am not going to add a hall of fame for
> bug reporters, you are by far not the only one.
I'm not asking for a hall of fame, just for you to credit it just as you
would anyone else, and to label these bugs correctly as vulnerabilities.
It just seems that you're being stubborn about this because you don't
like the way I disclose vulns. An honest and reasonable person wouldn't
let that get in their way.
> Right, good point. In some cases these sockets might have been useful to
> access info outside the jail. This has been fixed after spotting the bug.
Not only access, but inject arbitrary data into the stream, possibly
causing a compromise of the application outside the jail, depending on
its implementation.
I guess my problem is that you choose not to differentiate between bugs
and vulnerabilities. As a security conscious user, I would be very
afraid of that. I believe that using 'bug' dilutes the importance of
the matter and better describes some harmless thing in an interface
where a user couldn't select a certain option, or something of the sort.
I just don't think that most people, when they hear that there were
bugfixes in a certain release will immediately think "fixed exploitable
vulnerabilities." So I think the best thing for users, to urge them to
update to these newer releases, is to call a bug a vulnerability if it
is so, like in this case. But if your definition of bug is a
vulnerability, then that's fine. I just think it's confusing and
misleading to the users.
-Brad
More information about the rsbac
mailing list