Re: systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
On Mon, Sep 22, 2014 at 10:35:59AM +0900, Joel Rees wrote: 2014/09/22 5:21 Ansgar Burchardt ans...@43-1.org: Hi Joel, Joel Rees joel.r...@gmail.com writes: (6) systemd and cgroups (at minimum) end up overriding the permissions system. It's bad enough having SELinux and ACLs brought in to knock holes in the permissions system, but when arbitrary non-kernel system functions start getting their hands into the equation, there is no way to be sure that when you set any particular file under /etc or under ~/ -- including /etc/ssh and ~/.shh -- as mode 740, that the effective permissions don't end up 666 or 1147. In this case, even pid 1 is a group of arbitrary non-kernel functions. Permissions and race conditions are not the only ways that the modularity of these technologies is broken. I'm not going to try to enumerate them here. I'm interested how use of systemd and cgroups will make a file in /etc/ssh or ~/.ssh change effective permissions. Could you explain that in simple, reproducible steps? When I can, I'll file a bug report. If ever. I know the theory, so I don't use those, so it's not a high priority for me. If you are interested, read the manuals,do the math, it falls out, even though the manuals are written with a certain bias. So why post what you did above? Could you please stop spreading FUD! -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140922142730.GG21153@tal
Re: systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
On Mon, Sep 22, 2014 at 11:27 PM, Chris Bannister cbannis...@slingshot.co.nz wrote: On Mon, Sep 22, 2014 at 10:35:59AM +0900, Joel Rees wrote: 2014/09/22 5:21 Ansgar Burchardt ans...@43-1.org: Hi Joel, Joel Rees joel.r...@gmail.com writes: (6) systemd and cgroups (at minimum) end up overriding the permissions system. It's bad enough having SELinux and ACLs brought in to knock holes in the permissions system, but when arbitrary non-kernel system functions start getting their hands into the equation, there is no way to be sure that when you set any particular file under /etc or under ~/ -- including /etc/ssh and ~/.shh -- as mode 740, that the effective permissions don't end up 666 or 1147. In this case, even pid 1 is a group of arbitrary non-kernel functions. Permissions and race conditions are not the only ways that the modularity of these technologies is broken. I'm not going to try to enumerate them here. I'm interested how use of systemd and cgroups will make a file in /etc/ssh or ~/.ssh change effective permissions. Could you explain that in simple, reproducible steps? When I can, I'll file a bug report. If ever. I know the theory, so I don't use those, so it's not a high priority for me. If you are interested, read the manuals,do the math, it falls out, even though the manuals are written with a certain bias. So why post what you did above? Could you please stop spreading FUD! My response to this, for the benefit of the mail archives: https://lists.debian.org/debian-user/2014/09/msg01629.html -- Joel Rees Computer storage is just fancy paper, the CPUs are just fancy pens. All is a stream of text, flowing forever from the past into the future. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43iohlxykfb2qfkbavj7k1ogn09zfeh4oxue5cttlwxn...@mail.gmail.com
systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
Hi Joel, Joel Rees joel.r...@gmail.com writes: (6) systemd and cgroups (at minimum) end up overriding the permissions system. It's bad enough having SELinux and ACLs brought in to knock holes in the permissions system, but when arbitrary non-kernel system functions start getting their hands into the equation, there is no way to be sure that when you set any particular file under /etc or under ~/ -- including /etc/ssh and ~/.shh -- as mode 740, that the effective permissions don't end up 666 or 1147. In this case, even pid 1 is a group of arbitrary non-kernel functions. Permissions and race conditions are not the only ways that the modularity of these technologies is broken. I'm not going to try to enumerate them here. I'm interested how use of systemd and cgroups will make a file in /etc/ssh or ~/.ssh change effective permissions. Could you explain that in simple, reproducible steps? Ansgar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/854mw0yc2g.fsf...@tsukuyomi.43-1.org
Re: systemd/cgroups changing permissions (was: Re: Effectively criticizing decisions you disagree with in Debian)
2014/09/22 5:21 Ansgar Burchardt ans...@43-1.org: Hi Joel, Joel Rees joel.r...@gmail.com writes: (6) systemd and cgroups (at minimum) end up overriding the permissions system. It's bad enough having SELinux and ACLs brought in to knock holes in the permissions system, but when arbitrary non-kernel system functions start getting their hands into the equation, there is no way to be sure that when you set any particular file under /etc or under ~/ -- including /etc/ssh and ~/.shh -- as mode 740, that the effective permissions don't end up 666 or 1147. In this case, even pid 1 is a group of arbitrary non-kernel functions. Permissions and race conditions are not the only ways that the modularity of these technologies is broken. I'm not going to try to enumerate them here. I'm interested how use of systemd and cgroups will make a file in /etc/ssh or ~/.ssh change effective permissions. Could you explain that in simple, reproducible steps? When I can, I'll file a bug report. If ever. I know the theory, so I don't use those, so it's not a high priority for me. If you are interested, read the manuals,do the math, it falls out, even though the manuals are written with a certain bias.