Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited

From: Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Date: Thu Jun 15 2000 - 16:24:01 EST

Next message: Andre Hedrick: "Re: OT: IDE controlers"
Previous message: Andrea Arcangeli: "RE: Stability (2.2.14/15/16/17pre1)"
Next in thread: Albert D. Cahalan: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Reply: Albert D. Cahalan: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pavel Machek <pavel@suse.cz>:
> HI!
>
> > > Just as programming languages can not prevent bugs, security
> > > systems can not prevent complete administrative abuse.
> > > Not even MAC can prevent this kind of error... if an install
> > > program asks you to grant it MAC override, do you do so?
> >
> > If MAC override is in some piece of junk like elfcap then I have no audit
> > control to determine if it is there.
>
> Why? You have a tool that parses elf headers and tells you if elfcap
> header is active. Is that what was your concern? It takes "lot of time"
> to get elfcap header, but it can be done.

Because the audit "lot of time" doesn't include tar files which can contain
these things too. Capabilities should not be in tar files.

> > > Oh bullshit. You've not proven any of that. I can well imagine
> > > that one might think elfcap is ugly, but it gets the job done.
> > > It is just horrible to require exotic filesystem features and
> > > exotic backup tools when they shouldn't be needed at all.
> >
> > It is only reasonable as a prototype, not production.
>
> Why not? It works. It is slow when doing lscap, and ugly; otherwise it
> has no disadvantages.

It has severe audit and verification problems.

> > > It is about time that you admit elfcap gets the job done.
> >
> > Again, it is only reasonable as a prototype. It is not reliable, nor
> > fully enforcable as it stands. It is no better than setuid, and it
> > diffuses the ability to audit setuid since the actual priviliges are
> > not apparent. That makes it difficult/impossible to have a verifiable
> > audit.
>
> It is not impossible. lscap is complicated, but possible (and already
> done). "Actual priviledges" can be read from inside the file; that's
> slow, but as long as algorithm for determing elfcap header is same in
> kernel and in lscap, it is okay.

lscap doesn't look at files stored in tar or compressed files. elfcaps are
not cleared on file write, or copy. I cannot determine where the bits are set.
A cleaned system only exists until the first file is written.

The system cannot be validated, but elfcaps DO allow the kernel use of
capabilities to be tested.

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andre Hedrick: "Re: OT: IDE controlers"
Previous message: Andrea Arcangeli: "RE: Stability (2.2.14/15/16/17pre1)"
Next in thread: Albert D. Cahalan: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Reply: Albert D. Cahalan: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:36 EST