[rsbac] Re: rsbac 1.2.3

spender at grsecurity.net spender at grsecurity.net
Tue Jun 29 18:49:08 CEST 2004 

> I am looking forward to your bug reports. BTW, does this root user require 
> specific Linux caps to break out of the jail? Only asking, I have no 
> details yet.

No capabilities are required.  The one method you've already solved in 
one way but don't realize/know that there are multiple ways to perform 
the same filesystem actions.

> This is getting ridiculous. Do you want me to state on the RSBAC main page 
> that even you reported the existence of bugs and indirectly provided some 
> anonymous testing code, but rather wanted to teach me your way of coding 
> than getting the bugs fixed ASAP? I am not going to add a hall of fame for 
> bug reporters, you are by far not the only one.

I'm not asking for a hall of fame, just for you to credit it just as you 
would anyone else, and to label these bugs correctly as vulnerabilities.
It just seems that you're being stubborn about this because you don't 
like the way I disclose vulns.  An honest and reasonable person wouldn't
let that get in their way.

> Right, good point. In some cases these sockets might have been useful to 
> access info outside the jail. This has been fixed after spotting the bug.

Not only access, but inject arbitrary data into the stream, possibly 
causing a compromise of the application outside the jail, depending on 
its implementation.

I guess my problem is that you choose not to differentiate between bugs 
and vulnerabilities.  As a security conscious user, I would be very 
afraid of that.  I believe that using 'bug' dilutes the importance of 
the matter and better describes some harmless thing in an interface 
where a user couldn't select a certain option, or something of the sort.  
I just don't think that most people, when they hear that there were 
bugfixes in a certain release will immediately think "fixed exploitable 
vulnerabilities."  So I think the best thing for users, to urge them to
update to these newer releases, is to call a bug a vulnerability if it 
is so, like in this case.  But if your definition of bug is a 
vulnerability, then that's fine.  I just think it's confusing and 
misleading to the users.

-Brad

More information about the rsbac mailing list