F15 - status of /run/user, /dev/shm, and potential for a DoS attack

"Jóhann B. Guðmundsson" johannbg at gmail.com
Wed May 18 11:29:27 UTC 2011

On 05/18/2011 09:41 AM, JB wrote:
> Adam Williamson<awilliam<at>  redhat.com>  writes:
>> ...
>>> Was that considered to be a blocker and a part of release criteria for F15 ?
>> Nope. As discussed recently (I think, though I can't find it right now,
>> if anyone has a link that'd be great) on the devel list, this isn't
>> really anything new: just about any vaguely mainstream distro with a
>> typical configuration is subject to any number of known DoS attacks from
>> a local user account. I think it's accurate to say that Fedora doesn't
>> really aim to make it impossible for a local user to DoS the system with
>> an out of the box configuration, so it would not make sense to consider
>> such situations release blocking.
>> ...
> The problems mentioned have system-wide effect.
> But one of them is exceptionally important as it will expose systemd, the new
> and all-important system and service manager, to that DoS attack.
> Is Fedora's policy to ship a product that has a known, proven, and discussed
> DoS attack venue with this potential implication ?

The QA community is not a security or an risk assessment team.

We leave that part up to security team which possesses the necessary 
skill resource and experience to correctly evaluate and assess any 
concern raised related security ( or lack there of ) within the project 
thus security related questions are off topic for this list and should 
be asked on Fedora's security mailinglist [1] instead.

More information regarding the Fedora Security team can be found here [2].

As Adam mentioned this has been discussed both on this mailing list and 
in some threads and the devel list for example here [3] here I recommend 
that you go through the mailing list both here and on devel to see the 
relevant discussion regarding this matter.


1. https://lists.fedoraproject.org/mailman/listinfo/security
2. http://fedoraproject.org/wiki/Security

More information about the test mailing list