F15 - status of /run/user, /dev/shm, and potential for a DoS attack
linux.pundit at gmail.com
Thu May 19 17:23:12 UTC 2011
On 05/19/2011 01:49 AM, JB wrote:
> Adam Williamson<awilliam<at> redhat.com> writes:
>> On Wed, 2011-05-18 at 19:35 +0000, JB wrote:
>>> The end users of F15 are at risk.
>>> They should be fully advised what's the danger with this product.
>>> After all, it is an open-source project.
>>> The issue is serious, because it raises not only technical questions, but
>>> also internal (Security, QA, etc teams) and policy ones.
>> Your post is long on platitudes and short on specifics. It's not very
>> convincing, frankly.
> Sorry about disappointing you :-)
>> It's all very well to soapbox about the importance
>> on security, but you need a solid justification as to why you believe
>> local DoS exploits should be treated as a major issue.
> In the age of host systems being connected to Internet (or even intranets and
> extranets), the distinction between *local* and *remote* security issues are
> artificial, frankly.
> This has been already proven to you in the other thread "Security release
> criterion proposal".
>> Please also consider the target audience and intended use cases of
>> Fedora in doing so. Fedora is not a distribution we generally expect to
>> be put into use in contexts where a DoS is a really significant problem;
>> we don't expect anyone to be running it on critical servers. This is one
>> we reason we tend to consider code execution issues to be far more
>> serious. It's also likely that it is not commonly used in a true
>> multi-user configuration with non-trusted users. Remember that Fedora is
>> not RHEL.
> Yes, we know it.
> But it helps to be open with your user base, who are your testers, users, and
> And do not forget that many users share their knowledge with you and other
> users here. You should not ignore them.
> Make the most out of it while you have them around here !
Is it worth making an effort ? Read Adams postings it is full of "don't"
and "do not". If some one asks the question "why ?" or "why not ?" the
query is ridiculed. So it is time both Redhat and Fedora should think
again, and check if Adam is tasked with too much ? Why is he settings
goals which are not acceptable to so many ? Why is he not explaining his
position ? If he explains his position does it indirectly reveal some
thing else ?
More information about the test