RE: Security through Permissiveness: A Zen Riddle?

From: KRAMER,STEVEN (HP-USA,ex1) (steven_kramerat_private)
Date: Fri Jul 13 2001 - 07:39:35 PDT

  • Next message: richard offer: "RE: Security through Permissiveness: A Zen Riddle?"

    > I don't think that any LSM interface could support what you want through
    > permission functions without also being very difficult to get right.
    > Read: commercial unix vendors have tried similar things, and users
    > always seem to be able to use one or the other so-called capabilities to
    > gain more until the user is a full root user with all so-called
    > capabilities.
    
    Not necessarily true, on 2 counts.  First, VirtualVault and predecessors
    have used this sort of mechanism, on both processes and programs.  And 
    there are and have been others out there also.  Those
    systems can limit capabilities for processes beginning at login time,
    attenuated during the session if desired, but not allowing all the
    root capabilities.  Such users should be trusted, but even trusted users
    can make mistakes or be mislead by others.
    
    Also, by allowing capabilities to be placed on programs, users who need
    programs to perform special services run programs that turn on a limited
    set of capabilities for the duration of the program (and their children in
    some systems, but not in others).  Malicious users don't get 
    the same chance to cause a program bug to allow them to take over the
    system.  The scope of what they get ahold of is limited by the set of
    capabilities raised in the program.  I think having capabilities placed
    on programs is still a worthwhile security mechanism.  Purely process-based
    capabilities give away far too much during a session.
    
    Second, not all the capabilities in the kernel will allow one to obtain
    other
    capabilities.  Certainly overriding DAC will let someone easily override
    MAC (e.g., altering the MAC DBs), but some of the other capabilities at 
    best allow the user to create DoS scenarios.
    
    From what I see in the LSM code so far, LSM does not preclude such
    mechanisms as I have discussed.
    
    --steve kramer
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 07:40:26 PDT