Full Disclosure mailing list archives

Re: Linux kernel source archive vulnerable

From: Troy Cregger <tcregger () kennedyinfo com>
Date: Fri, 22 Sep 2006 09:40:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I mentioned that the gentoo kernel does not have this problem, other
distros have been shown to have safe file permissions in the kernel
tree, so there is a way to have permissions 'fixed' on distribution. But
before that, and ultimately, it's up to us  to ensure that our systems
are secure...

So if a car is designed with a steering wheel that punctures your chest
if you get in a crash and you are not wearing a seatbelt, that is not a
disgn flaw because you should wear a seatbelt?


Correct.

The point I think, that's been made in this thread already, it's a
matter of dogma, and best practices. To use the car analogy again, most
cars have airbags, but there's still plenty of them out there that don't
and it's up to the people who drive them to fasten the seat belt.

Personally, I have an airbag AND wear a seatbelt.
T.

Schanulleke wrote:

Chris Umphress wrote:

That assumes a proper umask. The kernel source should not depend on
the end user's umask being setup properly.

Is it the kernel developers' fault if your umask is extremely lax for
a normal user? If it is lax, security of the kernel source isn't your
only problem.... Security in general is.


So what you say is.
If there is a fault in a system that you could mitigate by certain 
behaviour, then it is your own responcibility to take that behaviour and 
the fault should not be fix.

So if a car is designed with a steering wheel that punctures your chest 
if you get in a crash and you are not wearing a seatbelt, that is not a 
disgn flaw because you should wear a seatbelt?

Ever heard of defense in depth????

Schanulleke

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


- --
Troy Cregger
Lead Developer, Technical Products.
Kennedy Information, Inc
One Phoenix Mill Ln, Fl 3
Peterborough, NH 03458
(603)924-0900 ext 662
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFE+fOnBEWLrrYRl8RAqbVAJ9mtuOfLaprYFjyVX9UZ+dQOq4+9wCeNow+
2o7gSb4Shtdyex9qqnXxZK8=
=1CKh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Re: tar alternative, (continued)
- - - Re: Re: tar alternative Tim (Sep 09)
    - Re: tar alternative Aaron Gray (Sep 15)
    - Re: tar alternative Tim (Sep 20)
    - Re: tar alternative Jon Hart (Sep 20)
    - Re: tar alternative Tonnerre Lombard (Sep 20)
  - Re: Linux kernel source archive vulnerable coderpunk (Sep 11)
    - Re: Linux kernel source archive vulnerable Joe Feise (Sep 11)
    - Re: Linux kernel source archive vulnerable coderpunk (Sep 12)
    - Re: Re: Linux kernel source archive vulnerable Chris Umphress (Sep 12)
    - Re: Linux kernel source archive vulnerable Schanulleke (Sep 15)
    - Re: Linux kernel source archive vulnerable Troy Cregger (Sep 22)