Re: Security through Permissiveness: A Zen Riddle?

• Previous message: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• In reply to: Shane Kerr: "Security through Permissiveness: A Zen Riddle?"
• Next in thread: sarnoldat_private: "Re: Security through Permissiveness: A Zen Riddle?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Shane Kerr (shane@time-travellers.org) wrote:
> I've touched on this before, but I figure I may as well keep trying
> until I get an answer:  Is it possible to create an LSM with the current
> proposed model that will allow me to grant only a small subset of root
> privileges to a specific executable?  If not, is there another way to go
> about this (perhaps by using other hooks and dropping privileges for the
> processes - i.e. when exec() runs "ntpd" drop all privileges except for
> bind() and adjtime(), and when that process calls bind() drop that
> privilege - yuck)?

There are many ways to accomplish this I imagine.  I don't think this
is necessarily permissive.

To me permissive is a way to grant priveleges to traditionaly unpriveleged
users (i.e.  non-root).  This has the advantage that you are subject
to all root privilege checks accept for the specific areas where you've
been granted exemption (least privileges).  On the other hand, you can
give someone root, and via extended attributes (not yet mainstream)
or a simple flat file, define ways that this incarnation of root is
heavily restricted.  Again you are granting least priveleges, but you
will pass all root privilege checks, so you are relying on what we're
calling restrictive hooks.  

Because the hooks are geared towards kernel objects there may be many
ways to leverage them.  For example, you could monitor at exec time and
tie priveleges to the running process based on its name or inode.  You
could allow it to run priveleged until it attempted an action that is
marked as dangerous and it's priveleges could be limited.  I'm sure
there are other ways, but you get the idea.

Given the above, I believe this is possible with the current proposal
(alright, so bind hasn't really been handled yet, but it will be ;-).
Your security module could handle permissions in either way, and I
believe there is some general agreement that both have value.

-chris

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: sarnoldat_private: "Re: Security through Permissiveness: A Zen Riddle?"
• Previous message: Jesse Pollard: "Re: Security through Permissiveness: A Zen Riddle?"
• In reply to: Shane Kerr: "Security through Permissiveness: A Zen Riddle?"
• Next in thread: sarnoldat_private: "Re: Security through Permissiveness: A Zen Riddle?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 13:13:23 PDT