[OLPC Security] SuperUser permission for the Driver??

Jay Sulzberger jays at panix.com
Thu Jun 26 13:22:15 EDT 2008



On Thu, 26 Jun 2008, Deepak Saxena wrote:

> On Jun 25 2008, at 14:01, Carl-Daniel Hailfinger was caught saying:
>> On 25.06.2008 08:07, Michael Stone wrote:
>>> We have an activity that wants superuser privilege in order to poke
>>> kernel memory.
>>>
>>
>> Hello? Please take the poor activity out back and shoot it. No activity
>> has any business poking kernel memory.
>
> What if I replace Michael's statement with some specific use cases:
>
> - An activity requires a specific device driver module to be (un)loaded
>  to properly function and loading this driver requires su privilege.
>
> or:
>
> - An activity requires a device to switch operation modes and that
>  operation mode is configured via a sysfs file. The file is poked
>  by a library API, but it requires su privilege to do so.
>
> I agree with Paul that we need to have a solution to these
> cases iff we want to support running arbitrary software and
> hw combinations on the XO. The other option is to limit the
> scope of the system to a very specific set of sw and hw,
> treating the XO as embedded education appliance instead of
> a general-purpose laptop device, which I don't think
> we want to do.

It can be a general purpose laptop.  And we need not surrender
our common sense: if we want the thing to be better, it will have
to be different.  In particular, it cannot have kernel modules
promiscuously loaded and unloaded.  Thus not all software will
run on the laptop.  But that is already the case for the most
widely distributed home systems: a Microsoft program will not run
on GNU/Linux, an Apple program will not run on a Microsoft OS,
etc..

>
> I don't have any immediate answers to any of Michael's questions
> but I think looking at how the standard ditros deal with this
> would be a starting point.
>
> ~Deepak

The usual free Unices' security apparatus is ludicrously
inadequate.  The XO system should be much better.

oo--JS.


>
> -- 
> Deepak Saxena <dsaxena at laptop.org>
> _______________________________________________
> Security mailing list
> Security at lists.laptop.org
> http://lists.laptop.org/listinfo/security
>
>



More information about the Devel mailing list