Comment 6 for bug 759725
Revision history for this message
| Kees Cook (kees) wrote Re: [Bug 759725] Re: The kernel is no longer readable by non-root users | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Tue, Apr 26, 2011 at 11:21:38AM -0000, Richard W.M. Jones wrote:
> What is being protected by this mode change? This kernel is distributed
> on hundreds of mirrors -- there is no secret in here.
The mode changes do not protect a system from any dedicated attacker (for
the reason you state), but it does have real-world benefits against
simplistic kernel exploitation (keeping kernel symbols away from non-root
users). It is absolutely a trade-off.
> When we install libguestfs, we need to boot using this kernel. What change
> do I need to make to libguestfs so that when a sysadmin installs it, it will
> change the permissions back to 0644 automatically?
Shipping a pair of files in /etc/kernel/
/etc/kernel/
respectively is likely the cleanest approach to handling this.
--
Kees Cook
Ubuntu Security Team