FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 09-20-2010, 12:54 PM
Michał Piotrowski
 
Default Grrr... modprobe.conf

2010/9/20 Bryn M. Reeves <bmr@redhat.com>:
> On 09/20/2010 01:37 PM, Tom Horsley wrote:
>> On Mon, 20 Sep 2010 11:56:56 +0200
>> Michał Piotrowski wrote:
>>
>>> You can blacklist the firewall modules - it can be critical
>>
>> Actually, I think you can run any arbitrary command to
>> load a module,

Or pass any parameter to a module.

> so it is probably a gigantic security
>> hole.

Yeah - but it depends on conditions, system configuration etc. It can
be treated as "minor issue", "major issue", "high risk vulnerability"
or "gigantic security hole" - depends on system configuration and
other things. Let's CC devel list.

>
> Kinda what I was thinking. This should be fairly easy to track down with
> the amount of tracing and debugging tools we have in the distro now. I'm
> not convinced it's dracut's

My F13 devel system is not affected - it's a standard web developer
system with databases, web servers, script languages etc. I don't
think that dracut is the culprit.

> doing but if I have time to get a VM
> installed later on I'll try to have a poke around.
>
> Cheers,
> Bryn.

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 01:02 PM
drago01
 
Default Grrr... modprobe.conf

2010/9/20 Michał Piotrowski <mkkp4x4@gmail.com>:
> 2010/9/20 Bryn M. Reeves <bmr@redhat.com>:
>> On 09/20/2010 01:37 PM, Tom Horsley wrote:
>>> On Mon, 20 Sep 2010 11:56:56 +0200
>>> Michał Piotrowski wrote:
>>>
>>>> You can blacklist the firewall modules - it can be critical
>>>
>>> Actually, I think you can run any arbitrary command to
>>> load a module,
>
> Or pass any parameter to a module.
>
>> so it is probably a gigantic security
>>> hole.
>
> Yeah - but it depends on conditions, system configuration etc. It can
> be treated as "minor issue", "major issue", "high risk vulnerability"
> or "gigantic security hole" - depends on system configuration and
> other things. Let's CC devel list.

Well depends on the cirumstances.

As the file is supposed to be obsolete anyway ... we should just make
modprobe ignore it
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 01:08 PM
Michał Piotrowski
 
Default Grrr... modprobe.conf

W dniu 20 września 2010 15:02 użytkownik drago01 <drago01@gmail.com> napisał:
> Well depends on the cirumstances.

I fully agree.

>
> As the file is supposed to be obsolete anyway ... we should just make
> modprobe ignore it

This is not a solution to the problem. Now the file will be ignored,
but in a few months someone will change this and the problem returns.

Modprobe can be modified, but also source of the problem should be
found and removed.

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 04:26 PM
Jon Masters
 
Default Grrr... modprobe.conf

On Mon, 2010-09-20 at 14:54 +0200, Michał Piotrowski wrote:
> 2010/9/20 Bryn M. Reeves <bmr@redhat.com>:
> > On 09/20/2010 01:37 PM, Tom Horsley wrote:
> >> On Mon, 20 Sep 2010 11:56:56 +0200
> >> Michał Piotrowski wrote:
> >>
> >>> You can blacklist the firewall modules - it can be critical
> >>
> >> Actually, I think you can run any arbitrary command to
> >> load a module,
>
> Or pass any parameter to a module.
>
> > so it is probably a gigantic security
> >> hole.
>
> Yeah - but it depends on conditions, system configuration etc. It can
> be treated as "minor issue", "major issue", "high risk vulnerability"
> or "gigantic security hole" - depends on system configuration and
> other things. Let's CC devel list.
>
> >
> > Kinda what I was thinking. This should be fairly easy to track down with
> > the amount of tracing and debugging tools we have in the distro now. I'm
> > not convinced it's dracut's
>
> My F13 devel system is not affected - it's a standard web developer
> system with databases, web servers, script languages etc. I don't
> think that dracut is the culprit.
>
> > doing but if I have time to get a VM
> > installed later on I'll try to have a poke around.
> >
> > Cheers,
> > Bryn.
>
> Regards,
> Michal

I'm missing the original mail in this thread because I think it went to
a different list. Can someone forward it to me, please. Thanks.

Jon.


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 05:02 PM
Robert 'Bob' Jensen
 
Default Grrr... modprobe.conf

----- "Jon Masters" <jonathan@jonmasters.org> wrote:
>
> I'm missing the original mail in this thread because I think it went
> to
> a different list. Can someone forward it to me, please. Thanks.
>
> Jon.
>
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel

Messages to the list are available in the web archive.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 06:01 PM
John Reiser
 
Default Grrr... modprobe.conf

On 09/20/2010 10:02 AM, Robert 'Bob' Jensen wrote:
>
> ----- "Jon Masters" <jonathan@jonmasters.org> wrote:
>>
>> I'm missing the original mail in this thread because I think it went
>> to
>> a different list. Can someone forward it to me, please. Thanks.
>>
>> Jon.
>>
>>
>> --
>> devel mailing list
>> devel@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>
> Messages to the list are available in the web archive.

Please give a helpful reply, or none at all.

The earliest posting in September to devel@lists.fedoraproject.org
with the subject "Grrr... modprobe.conf", namely:
http://lists.fedoraproject.org/pipermail/devel/2010-September/143118.html
is not the first message in the thread. So your quoting the link
> https://admin.fedoraproject.org/mailman/listinfo/devel
is not helpful.

Instead, you should have pointed to
http://lists.fedoraproject.org/pipermail/test/2010-September/093856.html
which is the start of the thread. Notice the 'test' list instead of
the 'devel' list.

--
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 06:03 PM
drago01
 
Default Grrr... modprobe.conf

2010/9/20 Michał Piotrowski <mkkp4x4@gmail.com>:
> W dniu 20 września 2010 15:02 użytkownik drago01 <drago01@gmail.com> napisał:
>> Well depends on the cirumstances.
>
> I fully agree.
>
>>
>> As the file is supposed to be obsolete anyway ... we should just make
>> modprobe ignore it
>
> This is not a solution to the problem. Now the file will be ignored,
> but in a few months someone will change this and the problem returns.

Why?
The file is obsolete for a while now, apps that rely on it if any
should crash and burn and use the proper interface (/etc/modprobe.d)
I can't think of a reason why "someone will change this again".

> Modprobe can be modified, but also source of the problem should be
> found and removed.

No disagreement, the culprit should still be found and fixed.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 06:21 PM
Michał Piotrowski
 
Default Grrr... modprobe.conf

W dniu 20 września 2010 20:03 użytkownik drago01 <drago01@gmail.com> napisał:
> Why?
> The file is obsolete for a while now, apps that rely on it if any
> should crash and burn and use the proper interface (/etc/modprobe.d)
> I can't think of a reason why "someone will change this again".

In the same way that someone reverted a vulnerability fix in kernel
http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/

BTW. I think that /etc, /bin, /usr/* etc dirs should be monitored for
world writable files. Maybe some test for sectool should be written?

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 06:47 PM
drago01
 
Default Grrr... modprobe.conf

2010/9/20 Michał Piotrowski <mkkp4x4@gmail.com>:
> W dniu 20 września 2010 20:03 użytkownik drago01 <drago01@gmail.com> napisał:
>> Why?
>> The file is obsolete for a while now, apps that rely on it if any
>> should crash and burn and use the proper interface (/etc/modprobe.d)
>> I can't think of a reason why "someone will change this again".
>
> In the same way that someone reverted a vulnerability fix in kernel
> http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/

Err.... by that logic we can't fix a bug ever because someone might
revert the fix. (Or I am missing what you are trying to say).
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 09-20-2010, 06:57 PM
Michał Piotrowski
 
Default Grrr... modprobe.conf

W dniu 20 września 2010 20:47 użytkownik drago01 <drago01@gmail.com> napisał:
> 2010/9/20 Michał Piotrowski <mkkp4x4@gmail.com>:
>> W dniu 20 września 2010 20:03 użytkownik drago01 <drago01@gmail.com> napisał:
>>> Why?
>>> The file is obsolete for a while now, apps that rely on it if any
>>> should crash and burn and use the proper interface (/etc/modprobe.d)
>>> I can't think of a reason why "someone will change this again".
>>
>> In the same way that someone reverted a vulnerability fix in kernel
>> http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/
>
> Err.... by that logic we can't fix a bug ever because someone might
> revert the fix. (Or I am missing what you are trying to say).

I mean, fix can not be reduced to ignoring this file in modprobe,
because this case is not a modprobe problem. You can try to fix this
issue in modprobe, but such a solution can not be fully entrust

Sorry, my English will never be good enough to enough clearly
formulate thoughts

Regards,
Michal
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 03:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org