Date: Sun, 23 Jul 2000 23:22:56 -0700 (PDT) From: Linus Torvalds <torvalds@transmeta.com> To: James Sutherland <jas88@cam.ac.uk> Subject: Re: Direct access to hardware On Sun, 23 Jul 2000, James Sutherland wrote: > > The "security" aspect of this is largely a red herring, I suspect; at > best, fixing this will make a malicious root marginally less damaging. The > real issue is just that the kernel is accepting unvalidated parameters > from userspace, and shooting itself in the foot with them. MS took a fair > bit of flak, IIRC, for doing this with WIN32K.SYS in NT4. Do we now expect > higher standards of design from NT than Linux? :-) What validation? The OS doesn't even know what the commands do. They are undocumented. And they vary from drive to drive. How do you expect the OS to validate the drive firmware update commands for every drive manufacturer? In short, should we - know every single drive, know every command it can take, and do all of this inside the OS OR should we - move this policy into user space, and potentially have programs that know what different drives can do, and upgrade them the proper way I think the thing is fairly clear. If you want "the OS" to validate the parameters, then you should create a user-mode program that validates the thing. Basically, Linux already validates everything it _can_ validate. Sure, it could also verify that only "approved" commands are sent, but what about the undocumented yet potentially useful ones? Let's take a hypothetial example (you judge on just _how_ hypothetical it actually is): imagine that you have a drive that can be made to refuse to read certain removable media based on where the drive was purchased. Imagine that this was actually done in firmware, and that there was a way of overriding it. Imagine further that you moved, and you wanted to make the drive read certain removable media in the new location, using undocumented commands.. Should the kernel block those commands because it doesn't know what they do? Or should the kernel assume that "Oh, he has the permission to do this, then sure, I'll let him do it..". Note that everybody has gotten very lathered up about the fact that you can kill certain hardware. Guess what? This is neither new nor very exciting. Look at your XFree86 configuration file some time, and read the warnings in the documentation. And ruminate on it. A monitor can be quite a bit more expensive than your harddisk. Firthermore, destroying your harddisk may be the most _polite_ thing that can be done to you. Quite frankly, I'd personally rather have a dead harddisk than have all my data on that harddisk be siphoned back to an intruder. A dead harddisk you might get a refund for under the warranty. Your credit card information (or your browsing habits or copies of your personal emails) made available all over the place might be more of a bother. "There are worse things than death". Even with harddisks. Linus - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/