On Thu, 24 Jan 2002, Crispin Cowan wrote: > jmjonesat_private wrote: > > >Um, the only problem I have is getting the executable I write to be "full > >permission" on a variety of systems. > > > ... bypassing security. Not exactly. The 'executable' I was referring to would be the "permission tester" used during install, which would have to have both it's own permission to do things and be able to adopt the permission of the application being installed (setsec()?) to determine if it will have permission to do things when operating (a special permission in itself.) The way I phrased it betrays my LSM-incorrect "root permission followed by setuid/setgid" thinking. Similar to running an install script as root and then checking the owner/group/permissions of pre-existing files and directories to determine if the application will have the access it needs and adjusting (or failing) the installation appropriately. > It CANNOT be done in a cross-module manner. At best, you can write one > program that speaks the language of several modules. That is as > cross-module as it is ever going to get. Yes, thanks to this discussion I see that you are correct. My question was based on the observation that different modules will use different strategies and, until the target application is actually running, it is not evident from examination of the permissions of various resources if it will actually have permission to access anything. Shell scripts that use code such as if test -r filename then ... else ... fi no longer, necessarily, indicate that the file will be readable by another application running as the same owner/group as the testing script. I was hoping for some sort of if test --As_If_I_Was other_app -r filename ... that would provide similar function across LSM modules. This will require a different sort of thinking and I was trying to get a handle on what it will mean for "installer mechanisms" that I'm using. I now see that the version of 'test' will have to match the module and it's not going to be likely there can be a "one version fits all" solution. > > Crispin > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html Thanks, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 05:21:37 PST