Bug#553918: [Pkg-virtualbox-devel] Bug#553918: virtualbox-ose-source: Please, make dkms a recommendation.
On Thu, Nov 12, 2009 at 02:01:40PM +0100, Wolfgang Walter wrote: I don't really see where the security problem is here. Would you mind explaining it? Say you built your kernel as user foo on one machine. ... I beg to disagree. This doesn't appear to be a security problem in virtualbox-ose but bad admin work. However ... I think virtualbox should do it like other similar packages which build kernel modules: virtualbox-ose-source for building binary-modules as self-sufficent deb-packages virtualbox-ose-dkms for the dkms approach Sehe batman-adv-source|dkms or openafs-modules-source|dkms This is a better approach, I simply didn't think about this. Will fix for 3.1.0. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: mes...@jabber.org VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#553918: [Pkg-virtualbox-devel] Bug#553918: virtualbox-ose-source: Please, make dkms a recommendation.
On Fri, Nov 06, 2009 at 08:06:33PM +0100, Wolfgang Walter wrote: 2) It therefor runs as root. And it even does if /lib/modules/installed kernel/source points to a non privileged build directory which is a security problem. I don't really see where the security problem is here. Would you mind explaining it? Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: mes...@jabber.org VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#553918: [Pkg-virtualbox-devel] Bug#553918: virtualbox-ose-source: Please, make dkms a recommendation.
Am Donnerstag, 12. November 2009 schrieb Michael Meskes: On Fri, Nov 06, 2009 at 08:06:33PM +0100, Wolfgang Walter wrote: 2) It therefor runs as root. And it even does if /lib/modules/installed kernel/source points to a non privileged build directory which is a security problem. I don't really see where the security problem is here. Would you mind explaining it? Say you built your kernel as user foo on one machine. Say /lib/modules/2.6.31.6/source or /lib/modules/2.6.31.6/build therefor may points to /home/foo/kernels/linux-2.6.31.6 Now you install that kernel on a different machine exposed where user foo exists, too. You now have to trust machine exposed. You must trust f...@exposed that it does not provide a manipulated /home/foo/kernels/linux-2.6.31.6 which will either produce a trojaned kernel module or simply uses errors in dkms, gcc, binutils, ... to gain root access. I think virtualbox should do it like other similar packages which build kernel modules: virtualbox-ose-source for building binary-modules as self-sufficent deb-packages virtualbox-ose-dkms for the dkms approach Sehe batman-adv-source|dkms or openafs-modules-source|dkms Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts Leiter EDV Leopoldstraße 15 80802 München Tel: +49 89 38196 276 Fax: +49 89 38196 150 Email: wolfgang.wal...@stwm.de http://www.studentenwerk-muenchen.de/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org