RE: Security through Permissiveness: A Zen Riddle?

• Previous message: Huagang Xie: "Re: lids and lsm"
• Maybe in reply to: Shane Kerr: "Security through Permissiveness: A Zen Riddle?"
• Next in thread: richard offer: "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: richard offer: "RE: Security through Permissiveness: A Zen Riddle?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I don't think that any LSM interface could support what you want through
> permission functions without also being very difficult to get right.
> Read: commercial unix vendors have tried similar things, and users
> always seem to be able to use one or the other so-called capabilities to
> gain more until the user is a full root user with all so-called
> capabilities.

Not necessarily true, on 2 counts.  First, VirtualVault and predecessors
have used this sort of mechanism, on both processes and programs.  And 
there are and have been others out there also.  Those
systems can limit capabilities for processes beginning at login time,
attenuated during the session if desired, but not allowing all the
root capabilities.  Such users should be trusted, but even trusted users
can make mistakes or be mislead by others.

Also, by allowing capabilities to be placed on programs, users who need
programs to perform special services run programs that turn on a limited
set of capabilities for the duration of the program (and their children in
some systems, but not in others).  Malicious users don't get 
the same chance to cause a program bug to allow them to take over the
system.  The scope of what they get ahold of is limited by the set of
capabilities raised in the program.  I think having capabilities placed
on programs is still a worthwhile security mechanism.  Purely process-based
capabilities give away far too much during a session.

Second, not all the capabilities in the kernel will allow one to obtain
other
capabilities.  Certainly overriding DAC will let someone easily override
MAC (e.g., altering the MAC DBs), but some of the other capabilities at 
best allow the user to create DoS scenarios.

From what I see in the LSM code so far, LSM does not preclude such
mechanisms as I have discussed.

--steve kramer

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: richard offer: "RE: Security through Permissiveness: A Zen Riddle?"
• Previous message: Huagang Xie: "Re: lids and lsm"
• Maybe in reply to: Shane Kerr: "Security through Permissiveness: A Zen Riddle?"
• Next in thread: richard offer: "RE: Security through Permissiveness: A Zen Riddle?"
• Reply: richard offer: "RE: Security through Permissiveness: A Zen Riddle?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 07:40:26 PDT