Re: quotactl hook

• Previous message: Stephen Smalley: "Re: quotactl hook"
• In reply to: Stephen Smalley: "Re: quotactl hook"
• Next in thread: Stephen Smalley: "Re: quotactl hook"
• Reply: Stephen Smalley: "Re: quotactl hook"
• Reply: David Wagner: "Re: quotactl hook"
• Reply: Greg KH: "Re: quotactl hook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephen Smalley wrote:

> Right.  I'm not clear as to where this issue is headed now.  It seems
> like Chris Wright issued a challenge to SGI to demonstrate that the
> existing capable hook wasn't sufficient.  Lachlan gave an example where
> capable is called even when the DAC logic would succeed, but also said
> that this wasn't an issue for SGI since the restrictive hook is called
> first.  So it isn't clear to me that the case for authoritative hooks
> has been made.

OKay. I'll try again. I'll give two examples, one we're working
with the XFS group on, and one that's a request I've gotten from
a source best not named. These are both real cases. I'm not making
this up!

1. POSIX ACLs

 Symantics require an authoritative hook. A file with the ACL

	u::rw,g::r,o:-,m::rw,u:greg:rw

 will grant the user greg access even if he is in the owning group.
 A restrictive hook would not grant Greg access, as it would fail
 the mode bit check. In Irix we use an authoritative hook for ACLs
 because of this case. (One could argue that this behavior is
 inappropriate, but it's a policy decision that the POSIX group
 felt best extended the mode bit scheme.) The capable() function
 does not have enough information (it lacks the file attributes
 and the type of access) to intercede.

2. Hovan ACLs

 Hovan ACLs (That's name given this scheme by the POSIX group. There
 is probably a more official name out there.)

 Allow members of the FILE_OWNER_CLASS to modify the membership
 lists of the FILE_OWNER_CLASS, FILE_GROUP_CLASS, and FILE_OTHER_CLASS.
 A file with the ACL

	FILE_OWNER_CLASS:OWNER,greg
	FILE_GROUP_CLASS:GROUP
	FILE_OTHER_CLASS:WORLD

 will grant the user greg access even if he is in the owning group.
 A restrictive hook would not grant Greg access, as it would fail
 the mode bit check.


-- 

Casey Schaufler				Manager, Trust Technology, SGI
caseyat_private				voice: 650.933.1634
casey_pat_private			Pager: 888.220.0607

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: quotactl hook"
• Previous message: Stephen Smalley: "Re: quotactl hook"
• In reply to: Stephen Smalley: "Re: quotactl hook"
• Next in thread: Stephen Smalley: "Re: quotactl hook"
• Reply: Stephen Smalley: "Re: quotactl hook"
• Reply: David Wagner: "Re: quotactl hook"
• Reply: Greg KH: "Re: quotactl hook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 11:57:37 PDT