[CRIU] Hardening the criu service daemon
Florian Weimer
fweimer at redhat.com
Fri Sep 11 06:23:40 PDT 2015
On 09/11/2015 03:17 PM, Ruslan Kuprieiev wrote:
> Hi,
>
> On 11.09.15 16:06, Pavel Emelyanov wrote:
>>> Are there any objections because the service daemon is seen as an
>>> >important feature or is it okay to be removed?
>> I'm OK with it.
>>
>> I would even suggest deprecating the service as a whole, but before doing
>> this we should implement the "self dump" facility via swrk and then audit
>> the swrk mode for not be subject to the same cves.
>>
>> -- Pavel
> Why deprecating it at all? Isn't it much more secure to let users use
> service socket instead of giving them a suid-ed binary?
Currently, both are equally insecure. Making the binary SUID isn't even
documented, as far as I know.
--
Florian Weimer / Red Hat Product Security
More information about the CRIU
mailing list