F15 - status of /run/user, /dev/shm, and potential for a DoS attack

[JB]

Adam Williamson <awilliam <at> redhat.com> writes:

> 
> On Wed, 2011-05-18 at 19:35 +0000, JB wrote:
> 
> > The end users of F15 are at risk.
> > They should be fully advised what's the danger with this product.
> > After all, it is an open-source project.
> > 
> > The issue is serious, because it raises not only technical questions, but
> > also internal (Security, QA, etc teams) and policy ones.
> 
> Your post is long on platitudes and short on specifics. It's not very
> convincing, frankly.

Sorry about disappointing you :-)

> It's all very well to soapbox about the importance
> on security, but you need a solid justification as to why you believe
> local DoS exploits should be treated as a major issue.

In the age of host systems being connected to Internet (or even intranets and
extranets), the distinction between *local* and *remote* security issues are
artificial, frankly.

This has been already proven to you in the other thread "Security release
criterion proposal".

> Please also consider the target audience and intended use cases of
> Fedora in doing so. Fedora is not a distribution we generally expect to
> be put into use in contexts where a DoS is a really significant problem;
> we don't expect anyone to be running it on critical servers. This is one
> we reason we tend to consider code execution issues to be far more
> serious. It's also likely that it is not commonly used in a true
> multi-user configuration with non-trusted users. Remember that Fedora is
> not RHEL.

Yes, we know it.
But it helps to be open with your user base, who are your testers, users, and
supporters.
And do not forget that many users share their knowledge with you and other
users here. You should not ignore them.
Make the most out of it while you have them around here !

JB