Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Martin Vaeth <martin@×××××.de>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: Choosing between system profiles: hardened and desktop for desktop installation.
Date: Fri, 07 Jul 2017 07:53:32
Message-Id: slrnoluff3.qth.martin@lounge.imp.fu-berlin.de
In Reply to: Re: [gentoo-user] Re: Choosing between system profiles: hardened and desktop for desktop installation. by R0b0t1
1 R0b0t1 <r030t1@×××××.com> wrote:
2 > On Thu, Jul 6, 2017 at 1:33 AM, Martin Vaeth <martin@×××××.de> wrote:
3 >> Peter Humphrey <peter@××××××××××××.uk> wrote:
4 >>> On Tuesday 04 Jul 2017 10:14:23 Martin Vaeth wrote:
5 >>>>
6 >>>> With modern browsers and their complexity, you can expect that any
7 >>>> website (or the one who has hacked it) can do anything which the
8 >>>> user of that browser can do if he is sitting on your seat.
9 >>>
10 >>> Have you seen any reports of that kind of thing?
11 >>
12 >> Are you joking? Every CVE of the browser (or of any of its dependencies)
13 >> which eventually allows an "execution of arbitrary code" exploit is
14 >> such an example.
15 >>
16 >>> but I'd expect Linux to be less vulnerable.
17 >>
18 >> This has nothing to do with linux. It is the complexity of the
19 >> browser which is the problem.
20 >
21 > To be fair it is a bit more circuitous on Linux than it is on Windows.
22 > [...] you can't directly cause another process to start executing
23 > your code directly [...] On Windows there exists CreateRemoteThread.
24
25 If you get your browser to do what you wish (e.g. calling
26 CreateRemoteThread on windows) you can usually let it directly execute
27 what you wish, anyway.
28
29 So there is hardly a difference from the system.
30
31 I agree that the number of possible exploits for the former was slightly
32 decreased if you had a correspondingly configured hardened kernel
33 (and provided, of course, that you have not other gapping security holes
34 like polkit, systemd, nepomuk/baloo, ... which all suffer from the
35 same problem than browsers due to the fact that they provide every user
36 access to a much too complex software stack.)
37
38 But my original text was arguing against the claim that the primary
39 purpose of hardened kernels was to protect against untrusted users
40 sitting in front of the keyboard.

Replies

Subject Author
Re: [gentoo-user] Re: Choosing between system profiles: hardened and desktop for desktop installation. Peter Humphrey <peter@××××××××××××.uk>
Re: [gentoo-user] Re: Choosing between system profiles: hardened and desktop for desktop installation. james <garftd@×××××××.net>
Report Message
Find on MARC Find on Google Groups