Proposal to reduce anti-bundling requirements

Dave Love d.love at liverpool.ac.uk
Tue Oct 6 20:12:04 UTC 2015


Stephen John Smoogen <smooge at gmail.com> writes:

> Because in this networked world
> everything becomes security sensitive because a hacker doesn't need to
> be root to do a lot of things.

My opinion is partly informed by my world being networked, with
experience of compromises on and from research systems, for around 30
years (I'm sorry to say).

> Hackers have used HPC computers for bitcoin mining because a grid app
> had an overflow which allowed them to run apps as a general user. They
> have set up spam farms for similar things. Another just decided to a
> lark to change data in a database to see if anyone noticed. All of
> which has interfered with research (and affected at least a couple of
> Phd's graduation times.)

Security is a question of risk management, and if mis-behaving
application programs pose security problems, then bundled libraries seem
the least of your worries.  I claim some knowledge, since I've made more
security-relevant fixes in a DRM than most people and I don't think
they've gone into the Fedora version.  Anyhow, as far as I can tell,
it's still most commonly configured such that you can submit jobs as any
other user.

You surely have to address that sort of thing, and local privilege
escalations with stolen credentials, before worrying about the
applications being run if they're somehow a risk.

> Most of those break-ins happened because of applications which were
> considered non-security related and usually via a bundled pile of PHP
> or java.

Not in my experience, but that's not the sort of thing I'm talking
about.  (I do worry about unpatched stuff on our head node that I can't
replace without falling foul of the vendor, but it's obviously
security-relevant, and the most horrible vulnerabilities on that cluster
have been due to vendor configuration rather than their lack of security
updates.)


More information about the devel mailing list