F15 - status of /run/user, /dev/shm, and potential for a DoS attack

Ashwin Mansinghka linux.pundit at gmail.com
Thu May 19 17:23:12 UTC 2011


On 05/19/2011 01:49 AM, JB wrote:
> Adam Williamson<awilliam<at>  redhat.com>  writes:
>
>>
>> On Wed, 2011-05-18 at 19:35 +0000, JB wrote:
>>
>>> The end users of F15 are at risk.
>>> They should be fully advised what's the danger with this product.
>>> After all, it is an open-source project.
>>>
>>> The issue is serious, because it raises not only technical questions, but
>>> also internal (Security, QA, etc teams) and policy ones.
>>
>> Your post is long on platitudes and short on specifics. It's not very
>> convincing, frankly.
>
> Sorry about disappointing you :-)
>
>> It's all very well to soapbox about the importance
>> on security, but you need a solid justification as to why you believe
>> local DoS exploits should be treated as a major issue.
>
> In the age of host systems being connected to Internet (or even intranets and
> extranets), the distinction between *local* and *remote* security issues are
> artificial, frankly.
>
> This has been already proven to you in the other thread "Security release
> criterion proposal".
>
>> Please also consider the target audience and intended use cases of
>> Fedora in doing so. Fedora is not a distribution we generally expect to
>> be put into use in contexts where a DoS is a really significant problem;
>> we don't expect anyone to be running it on critical servers. This is one
>> we reason we tend to consider code execution issues to be far more
>> serious. It's also likely that it is not commonly used in a true
>> multi-user configuration with non-trusted users. Remember that Fedora is
>> not RHEL.
>
> Yes, we know it.
> But it helps to be open with your user base, who are your testers, users, and
> supporters.
> And do not forget that many users share their knowledge with you and other
> users here. You should not ignore them.
> Make the most out of it while you have them around here !

Is it worth making an effort ? Read Adams postings it is full of "don't" 
and "do not". If some one asks the question "why ?" or "why not ?" the 
query is ridiculed. So it is time both Redhat and Fedora should think 
again, and check if Adam is tasked with too much ? Why is he settings 
goals which are not acceptable to so many ? Why is he not explaining his 
position ? If he explains his position does it indirectly reveal some 
thing else ?

with Regards,
ASHWIN




More information about the test mailing list