On Tue, Aug 19, 2003 at 09:04:01AM -0700, Seth Arnold wrote: > On Tue, Aug 19, 2003 at 09:52:00AM -0700, Michael Halcrow wrote: > > Whoever or whatever is authorized to do so in *BSD's implementation. > > If anyone knows the best answer to this, please don't hesitate to let > > me know. Meanwhile, I'm going to keep researching this. > > securelevel(7) from my OpenBSD machine. Note that it doesn't mention > anything about rebooting the system. :) I am painfully aware of this fact. Thank you for reminding me though. :-) > Another thing to consider: /sbin/shutdown, or telinit 0, telinit 6, etc, > kill and mangle a -lot- of processes on the way down -- do you really > want to prevent the reboot(2) at the end of all that process if your > securelevels deal isn't properly twitched? The idea is that everything past /sbin/shutdown, or telinit 0, 6, etc., is allowed, no matter what the secure level. Doing so in a manner that is protected against compromise is another story altogether. In other words, whatever the vendor ships as the shutdown process is authorized. If a device is being unmounted during shutdown, I want that to happen. Whatever an attacker attempts to do is not authorized. If an attacker attempts to unmount a device as the superuser, dissallow it. Keeping the vendor's shutdown procedure from getting hijacked by an attacker seems to be my challenge. With OpenBSD, the kernel guys and the vendor guys are on the same team, and can coorperate fully on this. With Linux, the kernel guys and the vendor guys are mixed and matched. I am trying to figure out exactly to what degree this is even an issue; in other words, how much of a BSD Secure Levels LSM must cooporate with a vendor's distro in order to allow normal administrative shutdowns to occur. Ideally, I suppose that I would like to have physical access to the machine be a prerequisite for a shutdown request to be honored. When a valid shutdown request event occurs at the machine, a flag somewhere is set in the LSM to let it know that all operations past that point are allowed. This must be done in such a manner that an attacker cannot gain control over the shutdown process to exploit the system while its defenses are down. This would include protecting against trojan horses from being placed in the code that is executed by the shutdown process. Perhaps that would mean several things. Once shutdown has initiated: - No new processes may be created (would this break the shutdown process?) - All login sessions must be terminated - No new logins will be accepted - ...? The trick is, what is the best criteria that defines, ``the shutdown has initiated''? > And one last item to consider; Robb, from IBM's LTC, was working on a > securelevels implementation for LSM. I don't think he is with the LTC > any longer, but perhaps his module is still wending its way through the > byzintine IBM legal system to get an IBM/GPL Stamp Of Approval. Actually, Robb recently transfered to another team in the LTC, and I am an intern who inherited the project (and his nice modular desk :-) from him. The module was only partially implemented when I started work on it. ;-) Mike -- ------------------------------------------- | --------------------- Michael Halcrow | mikeat_private Developer, IBM Linux Technology Center | | Want to make $$$$ really quick? It's easy: | Hold down Shift and hit '4' four times. | ------------------------------------------- | --------------------- GnuPG Keyprint: 05B5 08A8 713A 64C1 D35D 2371 2D3C FDDA 3EB6 601D
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 09:40:03 PDT