hoary kernel point release
Matt Zimmerman
mdz at ubuntu.com
Tue May 24 17:20:32 UTC 2005
On Tue, May 24, 2005 at 07:46:39AM +0200, Fabio Massimo Di Nitto wrote:
> Matt Zimmerman wrote:
> > Which patch, and which two modules?
>
> stolen-from-head_libata-updates.dpatch
>
> When we pulled it in, we believed it was from linus head tree but it was instead from
> ata-dev. The author of the patch told us that it is dangerous even if the bug report
> asking for it says otherwise.
>
> https://bugzilla.ubuntu.com/show_bug.cgi?id=6109
>
> The 2 modules are:
>
> SCSI_ATA_ADMA (ata_adma.ko)
> This option enables support for ADMA-standard ATA controllers.
>
> SCSI_PATA_PDC2027X (pata_pdc2027x.ko)
> This option enables support for Promise PATA pdc20268 to pdc20277 host adapters.
Which devices are supported by this driver, and how do they overlap with
the pdc202xx_* drivers? Will removing this module cause device name
changes?
> > There is no need for capability support in the initrd; this seems harmless
> > and therefore I don't think we should change it in the stable release.
> >
>
> According to some security guys this delay can cause a very short window of applications
> running without cap support.
Yes, but within the initrd, all processes run with absolute root privileges.
Capabilities are not used at all unless the root capability set is limited,
which is a configuration that we don't test anyway.
> Some of them advocate even that cap should be compiled in and that the
> tristate (as module) is pointless, but that goes to the usual religion
> believes in terms of security. Adding the module is harmless, the fix is
> simply a cp in the right directory.
I'm not comfortable with this, since it can cause behavior changes. The fix
is simple, but the effects are not simple to predict "in the wild". Since
the current situation is not particularly broken security-wise, I prefer
that we leave it alone.
> PS do you need to be CC'ed or are you subscribed to this mailing list?
mutt was misconfigured to think that I was not subscribed. I do not need to
be CCed.
--
- mdz
More information about the kernel-team
mailing list