Re: Capabilities

From: Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Date: Tue Feb 29 2000 - 13:29:29 EST


Horst von Brand <vonbrand@pincoya.inf.utfsm.cl>
>Jesse Pollard <pollard@tomcat.admin.navo.hpc.mil> said:
>
>[...]
>
>> Yes, they will be used. But the intent is to be used by system/security
>> administrators and not by the everyday user. If there are 32765 (or 255
>> for that matter) privileged programs, then I would be willing to guarantee
>> that the security on that system is nonexistant. The ability to audit
>> the security activities of programs is a must. I have enough trouble with
>> just the 55 I have. If I find any others on the system, they get removed.
>>
>You are counting wrong. You use an editor to fix configuration files, you
>run ifconfig(8) as root to set up networking, etc. They aren't privileged,
>the user running them is. Once you take that away, the number of programs
>that will need (to be able to get) special privileges will be much larger.
>In /sbin:/usr/sbin (very likely candidates) I count 277 here, in /bin
>(more, somehwat less likely candidates) I've got 88, and then there will
>undoubtedly be others in /usr, /usr/X11/bin, ...

I don't think so. These same programs work fine on a MLS based system, with
extensive capability controls. They do not need to be privileged. I as
a user edit files that I own. If I as system administrator edit files
that configure the system, then I do so because the system administrator
owns the files. If those files are also marked as security restricted then
I must get permission (either temporary or permanently) from the security
administrator to modify those files. This does not require the editor to be
privileged. If UNICOS is operating in the B1 mode, then I must have the
system in single user mode before I can modify these files. The programs
still do not have to be privileged. Access controls on the target of the
program are sufficient to restrict what I can do. This is in the category
of "been there, done that".

Now in the case of XFree86 - It shouldn't have privileges, but does due
to its' historical implementation. With the advent of frame buffer based
servers, it will loose the setuid capability. As far as MLS goes, it is
necessary to establish the users security profile before the X server may
be operated.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Tue Feb 29 2000 - 21:00:22 EST