Albert D. Cahalan wrote:
> This is totally user-hostile, so it won't be used very much.
> The X server and window manager must be trusted software.
> This is what Trusted Solaris claims to do. Windows get marked
> with security data. Cut-and-paste is controlled.
---
I'm curious here. I'm rather new to trust, so bear with me.
Lets say I am rated 'secret' -- anything I produce is tagged as
such. Also, as secret, I can only access programs and data of integrity=basic
(we don't want me willy-nilly running any old program sitting around)
The first question is how would I start a window at say rating
'unclassified' (assuming I have another signon or my signon has multiple
sensitivity ratings)?
Second question. I'm in a xterm type window in a shell. I
now type 'su' and 'su' to a user with a lower classification. The
Window is still owned by me, but in the window I'm running a lesser
classified user. Couldn't I cut and paste from the same window into
itself? Suppose I exit the lower classification (which produces information
of integrity=low). Now can't I cut/paste in the same window and upgrade
the integrity without checking if I have such authorization?
Would being able to execute 'login' from the shell be
any different?
The same could happen in reverse with a low classified user
su'ing or logging into a higher classified user, cat'ing out a file, then
returning to the lower classification to do the paste, thus
lowering data classification without authorization?
Another scenario -- I've su'ed to the lower sec user. My
background process I started earlier spits out 'secret' output. Will
it be interspersed with my unclassified output?
If my declassified user launches another Xapp, say a word
processor. Wouldn't it be possible for confusion to occur about which
windows are at what level and I might end up typing secret into
unclassified -- or is that just a case of 'user beware'?
Theoretically login and su don't know about Xwindows. Even
if they could somehow alter the current window's properties, I might
have my DISPLAY variable set to another host -- might it prove difficult
to find the right window to alter?
These are all probably trivially solved by some implementations,
but I'm just curious to how all this is handled smoothly?
-linda
(who wonders at the complexity of all these interactions)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:13 EST