On 02/06/2016 12:51 AM, Brian Anderson wrote:
My comments are really to do with what I perceive as best practices on
how one would approach building systems that are "security
conscious". Of course, "convenience" may direct us in different
directions during development. I am not sure what you are trying to
imply by "safe" as in protecting the GPIOs from misuse. I don't
actually see any way to accomplish that. What I do think one can do
is to be aware of security considerations and not unnecessarily
present an attack surface that can compromise the entire system.
/Using sudo seems much less secure as it exposes the
application to being exploited for security flaws. And since
the application is running as root, it has access to everything./
So, we have a device on a system that can potentially cause
physical damage to external hardware when something like a wrong
GPIO state is toggled, or such. How would sudo be less secure in
this context?
It wouldn't. And that is not my point. I am not talking about how to
protect the GPIOs from "bad behaved" programs that are "trusted" as
implied by the fact that they are running as a normal user in the
group that has access to those GPIOs. If an application is trusted
(is a member of the appropriate group or for that matter can sudo), it
is a hopeless task to protect the GPIOs from misuse. What I am trying
to point out is that running an app as "root" (sudo, set uid,
whatever) exposes a security attack vector...a vector that has access
to _all_ system resources. I would claim that it is an unnecessary
exposure...from a security point of view. YMMV when it comes to
"convenience".
In fact under certain conditions it would be less safe using groups.
How would an application running at a non-root level using groups to
access protected resources be less "safe" than an application running
as root using sudo?
Also, "root has access to everything" is wrong. Reread what I've
written above about running specific commands through sudo.
Errr, an application running as root, by definition, has access to
_all_ system resources. The fact that you are limiting just a single
application/user to run sudo doesn't limit the attack surface for that
application. If your root application is compromised in some way,
then the entire system can be compromised. Running as a normal user
does not present the same attack surface...its much smaller and
sandboxed by the kernel. Running as root affords no protection
enforcement by the kernel.
ba
On Fri, Feb 5, 2016 at 6:05 PM, Brian Anderson <[email protected]
<javascript:>> wrote:
Err, why?
Groups are frequently used to restrict access to resources.
Android exploits groups for permissions and to sandbox
applications. And the kernel enforces access.
Using sudo seems much less secure as it exposes the
application to being exploited for security flaws. And since
the application is running as root, it has access to everything.
But maybe I'm missing something?
ba
Brian,
This is a great summation of the issue!
Mike
--
For more options, visit http://beagleboard.org/discuss
---
You received this message because you are subscribed to the Google Groups "BeagleBoard" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
