Seth Arnold wrote:
>>Ideally, I suppose that I would like to have physical access to the
>>machine be a prerequisite for a shutdown request to be honored.
>>
>>
>Ok. This sounds like a reasonable policy; at least, it is concrete
>enough to work with. :)
>
That is a well-defined, enforceable policy, which is good. However, I'm
not convinced that it is actually a wise policy, because it requires
someone to be physically present to do the shutdown. That's kind of a
problem if:
* the machine is on top of a telephone pole
* the machine is in antarctic
* there are several thousand machines to be shut down
The way I like to do it is:
* only the Foo program can shut down the machine
o "Foo" can be defined by name, by MD5sum on the program text,
whatever
* the Foo program itself demands password authentication (or
whatever other kind of policy enforcement you want)
So the LSM requirement is that there be some enforceable way to specify
to the LSM module what "Foo" is.
In SubDomain, we do it with the "unconstrained child" feature, which
says that a confined process can execute a specific program as an
unconstrained child. Unconstrained processes in turn are allowed to do
privileged stuff like shutdown.
The same problem and solutions appear for other dangerous stuff, such as
mounting and unmounting.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 15:54:07 PDT