Re: Legitimate Question

From: Stephen Smalley (sdsat_private)
Date: Thu Jan 24 2002 - 13:14:28 PST

  • Next message: jmjonesat_private: "Re: Legitimate Question"

    On Thu, 24 Jan 2002 jmjonesat_private wrote:
    
    > Wouldn't it be useful for a userspace application that is
    > setuid root to be able to bypass the module's checks.
    
    Useful for people who want to break into your systems, yes.  One of the
    problems with existing Unix systems is that you only need to find a single
    setuid root program or root daemon that has a flaw, and you can take
    control of the entire system.
    
    > Isn't setuid ROOT generally assumed to be a "non-restricted"
    > condition?
    
    By the Unix DAC logic, yes, although capabilities are a step toward
    partitioning up root privileges.  That doesn't mean that you want to treat
    root specially in your security module.
    
    > How does the new paradigm change that, specifically, and
    > why SHOULD it do that?
    
    That is up to the security module.
    
    I'd encourage you to read the intro to the SELinux paper from Freenix
    (http://www.nsa.gov/selinux/doc/freenix01/node1.html).
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 13:16:32 PST